Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:36
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
b77d847b1d41cde07f81168c7addbb10
-
SHA1
2d5c614efdef7ab59fa5fb665d6ed1a79502b97f
-
SHA256
492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
-
SHA512
6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6
-
SSDEEP
49152:nvelL26AaNeWgPhlmVqvMQ7XSKqaRJ61bR3LoGdEjTHHB72eh2NT:nvOL26AaNeWgPhlmVqkQ7XSKqaRJ6H
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
siembonik-44853.portmap.host:44853
df483a08-855b-4bf5-bdcb-174788919889
-
encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
am1
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3100-1-0x0000000000280000-0x00000000005A4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cbe-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 15 IoCs
pid Process 2164 RuntimeBroker.exe 3348 RuntimeBroker.exe 100 RuntimeBroker.exe 1568 RuntimeBroker.exe 4936 RuntimeBroker.exe 4248 RuntimeBroker.exe 4188 RuntimeBroker.exe 5028 RuntimeBroker.exe 3496 RuntimeBroker.exe 2536 RuntimeBroker.exe 3048 RuntimeBroker.exe 1880 RuntimeBroker.exe 1420 RuntimeBroker.exe 1244 RuntimeBroker.exe 4204 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2032 PING.EXE 3180 PING.EXE 344 PING.EXE 3432 PING.EXE 2684 PING.EXE 4764 PING.EXE 4632 PING.EXE 2132 PING.EXE 5044 PING.EXE 760 PING.EXE 3464 PING.EXE 4512 PING.EXE 4288 PING.EXE 2040 PING.EXE 2688 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2688 PING.EXE 344 PING.EXE 760 PING.EXE 2040 PING.EXE 4764 PING.EXE 2032 PING.EXE 3464 PING.EXE 2684 PING.EXE 3180 PING.EXE 4288 PING.EXE 3432 PING.EXE 4632 PING.EXE 2132 PING.EXE 5044 PING.EXE 4512 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2848 schtasks.exe 432 schtasks.exe 720 schtasks.exe 3172 schtasks.exe 1600 schtasks.exe 4196 schtasks.exe 4004 schtasks.exe 2244 schtasks.exe 1204 schtasks.exe 4168 schtasks.exe 880 schtasks.exe 588 schtasks.exe 2128 schtasks.exe 1124 schtasks.exe 452 schtasks.exe 2664 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3100 RuntimeBroker.exe Token: SeDebugPrivilege 2164 RuntimeBroker.exe Token: SeDebugPrivilege 3348 RuntimeBroker.exe Token: SeDebugPrivilege 100 RuntimeBroker.exe Token: SeDebugPrivilege 1568 RuntimeBroker.exe Token: SeDebugPrivilege 4936 RuntimeBroker.exe Token: SeDebugPrivilege 4248 RuntimeBroker.exe Token: SeDebugPrivilege 4188 RuntimeBroker.exe Token: SeDebugPrivilege 5028 RuntimeBroker.exe Token: SeDebugPrivilege 3496 RuntimeBroker.exe Token: SeDebugPrivilege 2536 RuntimeBroker.exe Token: SeDebugPrivilege 3048 RuntimeBroker.exe Token: SeDebugPrivilege 1880 RuntimeBroker.exe Token: SeDebugPrivilege 1420 RuntimeBroker.exe Token: SeDebugPrivilege 1244 RuntimeBroker.exe Token: SeDebugPrivilege 4204 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 2664 3100 RuntimeBroker.exe 83 PID 3100 wrote to memory of 2664 3100 RuntimeBroker.exe 83 PID 3100 wrote to memory of 2164 3100 RuntimeBroker.exe 85 PID 3100 wrote to memory of 2164 3100 RuntimeBroker.exe 85 PID 2164 wrote to memory of 1204 2164 RuntimeBroker.exe 86 PID 2164 wrote to memory of 1204 2164 RuntimeBroker.exe 86 PID 2164 wrote to memory of 4408 2164 RuntimeBroker.exe 88 PID 2164 wrote to memory of 4408 2164 RuntimeBroker.exe 88 PID 4408 wrote to memory of 3668 4408 cmd.exe 90 PID 4408 wrote to memory of 3668 4408 cmd.exe 90 PID 4408 wrote to memory of 4764 4408 cmd.exe 91 PID 4408 wrote to memory of 4764 4408 cmd.exe 91 PID 4408 wrote to memory of 3348 4408 cmd.exe 99 PID 4408 wrote to memory of 3348 4408 cmd.exe 99 PID 3348 wrote to memory of 2128 3348 RuntimeBroker.exe 100 PID 3348 wrote to memory of 2128 3348 RuntimeBroker.exe 100 PID 3348 wrote to memory of 928 3348 RuntimeBroker.exe 102 PID 3348 wrote to memory of 928 3348 RuntimeBroker.exe 102 PID 928 wrote to memory of 4812 928 cmd.exe 105 PID 928 wrote to memory of 4812 928 cmd.exe 105 PID 928 wrote to memory of 4632 928 cmd.exe 106 PID 928 wrote to memory of 4632 928 cmd.exe 106 PID 928 wrote to memory of 100 928 cmd.exe 113 PID 928 wrote to memory of 100 928 cmd.exe 113 PID 100 wrote to memory of 1600 100 RuntimeBroker.exe 114 PID 100 wrote to memory of 1600 100 RuntimeBroker.exe 114 PID 100 wrote to memory of 2052 100 RuntimeBroker.exe 117 PID 100 wrote to memory of 2052 100 RuntimeBroker.exe 117 PID 2052 wrote to memory of 4100 2052 cmd.exe 119 PID 2052 wrote to memory of 4100 2052 cmd.exe 119 PID 2052 wrote to memory of 2032 2052 cmd.exe 120 PID 2052 wrote to memory of 2032 2052 cmd.exe 120 PID 2052 wrote to memory of 1568 2052 cmd.exe 125 PID 2052 wrote to memory of 1568 2052 cmd.exe 125 PID 1568 wrote to memory of 4196 1568 RuntimeBroker.exe 126 PID 1568 wrote to memory of 4196 1568 RuntimeBroker.exe 126 PID 1568 wrote to memory of 456 1568 RuntimeBroker.exe 128 PID 1568 wrote to memory of 456 1568 RuntimeBroker.exe 128 PID 456 wrote to memory of 232 456 cmd.exe 131 PID 456 wrote to memory of 232 456 cmd.exe 131 PID 456 wrote to memory of 2132 456 cmd.exe 132 PID 456 wrote to memory of 2132 456 cmd.exe 132 PID 456 wrote to memory of 4936 456 cmd.exe 133 PID 456 wrote to memory of 4936 456 cmd.exe 133 PID 4936 wrote to memory of 4168 4936 RuntimeBroker.exe 134 PID 4936 wrote to memory of 4168 4936 RuntimeBroker.exe 134 PID 4936 wrote to memory of 3772 4936 RuntimeBroker.exe 137 PID 4936 wrote to memory of 3772 4936 RuntimeBroker.exe 137 PID 3772 wrote to memory of 396 3772 cmd.exe 139 PID 3772 wrote to memory of 396 3772 cmd.exe 139 PID 3772 wrote to memory of 3180 3772 cmd.exe 140 PID 3772 wrote to memory of 3180 3772 cmd.exe 140 PID 3772 wrote to memory of 4248 3772 cmd.exe 142 PID 3772 wrote to memory of 4248 3772 cmd.exe 142 PID 4248 wrote to memory of 3172 4248 RuntimeBroker.exe 143 PID 4248 wrote to memory of 3172 4248 RuntimeBroker.exe 143 PID 4248 wrote to memory of 2580 4248 RuntimeBroker.exe 145 PID 4248 wrote to memory of 2580 4248 RuntimeBroker.exe 145 PID 2580 wrote to memory of 3744 2580 cmd.exe 148 PID 2580 wrote to memory of 3744 2580 cmd.exe 148 PID 2580 wrote to memory of 2688 2580 cmd.exe 149 PID 2580 wrote to memory of 2688 2580 cmd.exe 149 PID 2580 wrote to memory of 4188 2580 cmd.exe 151 PID 2580 wrote to memory of 4188 2580 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yj2UZq0w7Hkj.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3668
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4764
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrFpWPl6AdjU.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4632
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mjV1ulxZTPHG.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4100
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GbNLehvjHsgn.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWZy0Fwn99O5.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3180
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PNvIRUSZinWg.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkNRqPBvMW3C.bat" "15⤵PID:2176
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:344
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rx0PN9pxdZ2n.bat" "17⤵PID:3660
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4288
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gztIDvfV2i1n.bat" "19⤵PID:1452
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\shKhok65KhwU.bat" "21⤵PID:3592
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2844
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:760
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CXJIcOPsu0mx.bat" "23⤵PID:4900
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4472
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3432
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miwtrAp66Vv9.bat" "25⤵PID:1124
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4188
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3464
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMGw2YbYvv5o.bat" "27⤵PID:2880
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4512
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xh5Fia9le3lJ.bat" "29⤵PID:4480
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3512
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqaSkZBljvHN.bat" "31⤵PID:232
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
211B
MD5a520f299829fdd78d74178325a65b6d8
SHA141ac86ce16b3bf597dbf9f5c80d53c45f91e6f64
SHA256206adea85959ef23000a44536667edf5d8b3f01fe537421a80c8221e16849596
SHA51235458aee1a609eb032e9bb7c513adaa137723e96435d92341f88d8109916288ecc61884b9c040c1f679601b8aeb5c1ff8577cb80080b5c56ae4d4d4048142a63
-
Filesize
211B
MD57114d1c407c22ecf617bbaa859e801db
SHA13283b37af2cab0b7945a2cbfe712a7300de3c92e
SHA256ab149b7042bc869e2807c6aff3ac68c5ef7380c8141d80eec7448fb2b440c162
SHA5122f0a8276c87ed012f14814719f57c9944e75d827c10d411476223080b6b0ddeca8e1a74fbda453b6e0ca8587f4419659160afe733c400d29a848595b2e23e049
-
Filesize
211B
MD5a71576062b099565fa6c6f67ae3539af
SHA132d3b35f33a6cc382b48ca45f12a34b050760bce
SHA256bb29b7c9311ae67f796e4718a7754893e3b82b64b1da168f65a4bdf92485d475
SHA512f4665351f98ecf0629cc2f762af5cbbb0a6ce7313b0ef9ad913302f1a9b67a24adef71f11ba023b8a834a98101fa573ac8c59e0cc53491ca0c8b11dc1e39395f
-
Filesize
211B
MD56ebe1489b54302ee5089b945d70bbc3f
SHA1fa5a752a3069749933231729ecf6b903727db40f
SHA2569d07d293c8e5468367719b506b0b59f4d52c6bac1b8f4beb5f0ddefb1f9a7458
SHA512cc9f8b4e91f020061701ac7d62421891ceef75a7bc2314e58a7143af66b728f8af2266ca58700b742d5ddb88ec1142e700668d1f197b872117e48df914ee7582
-
Filesize
211B
MD532568d0be2816a7edf46eb639a1e7660
SHA165e3e4c56c4536dc3c901773f03f2b0b03ef6379
SHA256b07636f6bf6e8f712b8f375adc0a0d9eca3385dfa0f6560d50eae50408612f3b
SHA5129915c9220729ad3c3af59abbe0924dc91c3ee9b62eead0d9bcb363ec85dd221846a3eae8ade19c9f0aba10c0c02e08aef5b9bd04843ab266631578bd45aa7dda
-
Filesize
211B
MD533666be8680f5f235725a7f346961930
SHA150e8d2813ff584c15add64004dbacbf85d9c6c81
SHA256bb06c4050b46268b8008118c841768898be6cebecae7f3bd386b2967090f887f
SHA512bf7629a6b83433ed321d365da59e5e6e7a4a8ca48d3918142e571a97bc40cfa5bfa32f57de1fe5aa761998a486b517d67fdd4a7a8323ecd8874a237acb244e9a
-
Filesize
211B
MD548b9b44bc08a08d9c470d7eb03b9ce22
SHA1b0b4d5b2ba6a7612769df0f93283306dfb1c82de
SHA25688f55054ef3e153a6949688de7952b70387d0b866ab93e77ef109c83a2e76e57
SHA512f2df769b2fbf1fd6a5a0322417e5e56cd22a4ff25fd9a993b6c8fa2d6af290b0ef64beefbc8dc8095cafbc9599c9639ec04f306a820f60cecd2846a36b685dcd
-
Filesize
211B
MD595f8b20e83d86e7437bd1817a49ebf17
SHA1cce86fc3464d1676cf07f8f3828eb4a2c2cc160d
SHA2568eb10f481d3a1b5f1470e66dd2e5c2f8bdede5539eabdf05d0fb278209da96bf
SHA5121fe8733c31be18a50c7a675edd05d2332ec5f8e21fc292afca9d321b0bebc9e5928b9b46d14da4b74fd24d3a55896dfd7f5b8df739f837857f8710714e02b6cc
-
Filesize
211B
MD52bf6b071cdd9e47fc7122b5b585aaa2e
SHA12f8e09dee753a84e202a27214cc0f129622ad374
SHA256fdcf26ae467476571772f36373575bcd9a4eb35d42ba1d43f2e5bba0a74dce54
SHA512d44d98e5bfbbf3a8264ea7e29ae631b33ca83f417ac5b1f048d71c21ffc7b56f98b7bc954db2772ef63052e801815de41ba032a0c0034ede793ae0d430cf19d3
-
Filesize
211B
MD527a678127e413edae342ee48db605fe8
SHA1350a7bbe65c199e45ec38282f8a54fffa939220c
SHA256a97754eea4c78e42ea3c82ce7a836391ceb393e36ac76972a4c68ca9b513ceb8
SHA512fff7a98aa277b17857e51b9d47fb6e34a2f21c58f70d9dfa918a94d1c433d87b4fb83d43bac911b6473cd00acbd23ac54dfe5b468fc0403287721c3a9aeae287
-
Filesize
211B
MD54fae3d4a79c70e4df5fd377661835621
SHA1263bcaacdecb5b66b866e710834d232349fede83
SHA2562ee272fec58de7fc1ea353922c356cafd15c0c781e9721ecc974a57a9e08b9e6
SHA51225914d14a2ab3de7f10079dd43925464bc98938a59ffc8954fa9913f36e0dd9aacf81b2bbf3e8898b76c5aeb4720fa4cde7464c4622b12b0d0dc9ea296bc6ec4
-
Filesize
211B
MD50f4579c283316fbf45a845ab33820dc3
SHA111554980054eb5e3a2f19214a433ee0d25c62ad3
SHA25637ad06915e9085345e099368c9e814fa54217991c3e3179827ba3d1bb005086a
SHA5125dda391b238c8ac732f4ec38211ed738ea9ddd717752954b76ac72fb583b94bba2ba629b3c0b27f726d43511b22d19482e761cd43d5989526e76580fcf74ccfa
-
Filesize
211B
MD522d532919014fb966c69c523d19a2c6c
SHA140fb9095443eb1bb78fbdb0d5d7f006706325f55
SHA256a4bd6c59ae4e2610b0835faa3d719bf96e3ab13621e6fc1ffb6ecab8192e4a9f
SHA512be2eaf4bc9cf3a1dff3be617efe614aa50799c899d0dbc06703012d19833d1f4102a64ce29ceebe5e607dc50693e17a043f4a4edadab2e822a15e61019019fc2
-
Filesize
211B
MD511f899101080b1776b8888d03c6763fe
SHA10b1f36a4077b683ae92866242dddc7353cb38461
SHA2569ce4e51bf109c445494c7ae5f62d9b678e877250fee2a9e429c6f8cb7b011036
SHA512dc076fd5621b5ff626e37a6501469c085d2667ffd9806dc26cb2006abd3d31b2ef9832a94d118ab9f2cd3c2f506b077f3d98ad40c2eb1d8c4d9dcf80051ff64f
-
Filesize
211B
MD5e0108f169ad281723f51f2524c4cb2fd
SHA12b629d09fc811ed9edbb92fed0ee40d69d359f3a
SHA2562b6c7a54452b52add029897f95688855b92526a5653a44620a0d18d3f0950d53
SHA512c682793bb4b628991b1a01b3cd120bf5f8f207c0d4e961ea1338418529723bd64a191be980c21d4b880dfa5c4b8684ebc8ee295c04be1d7869abc206492871ad
-
Filesize
3.1MB
MD5b77d847b1d41cde07f81168c7addbb10
SHA12d5c614efdef7ab59fa5fb665d6ed1a79502b97f
SHA256492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
SHA5126fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6