Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 15:53
Behavioral task
behavioral1
Sample
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
Resource
win7-20240903-en
General
-
Target
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
-
Size
3.1MB
-
MD5
dd7a806c734df62ecf4802977fa0b3e9
-
SHA1
42eae42e0fcfe9d9a54e493a670adde5241377da
-
SHA256
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
-
SHA512
0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
-
SSDEEP
49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i
Malware Config
Extracted
quasar
1.4.1
Aryszx
Apichat:4782
181f4a12-4cad-46a9-9896-1001033c5b69
-
encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Runtime Broker
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4580-1-0x0000000000B90000-0x0000000000EB4000-memory.dmp family_quasar behavioral2/files/0x000c000000023ba1-6.dat family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Runtime Broker.exe -
Executes dropped EXE 12 IoCs
pid Process 2212 Runtime Broker.exe 4808 Runtime Broker.exe 3044 Runtime Broker.exe 4192 Runtime Broker.exe 4308 Runtime Broker.exe 1340 Runtime Broker.exe 2764 Runtime Broker.exe 4964 Runtime Broker.exe 5068 Runtime Broker.exe 4924 Runtime Broker.exe 4180 Runtime Broker.exe 3012 Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 836 PING.EXE 3128 PING.EXE 5040 PING.EXE 3512 PING.EXE 1320 PING.EXE 4872 PING.EXE 5108 PING.EXE 3472 PING.EXE 4948 PING.EXE 4152 PING.EXE 2160 PING.EXE 2764 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 1320 PING.EXE 5040 PING.EXE 836 PING.EXE 4948 PING.EXE 3128 PING.EXE 4152 PING.EXE 2160 PING.EXE 2764 PING.EXE 4872 PING.EXE 3512 PING.EXE 5108 PING.EXE 3472 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4724 schtasks.exe 968 schtasks.exe 4988 schtasks.exe 3116 schtasks.exe 4880 schtasks.exe 1676 schtasks.exe 2468 schtasks.exe 4508 schtasks.exe 4360 schtasks.exe 2932 schtasks.exe 2604 schtasks.exe 4392 schtasks.exe 4052 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 4580 cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe Token: SeDebugPrivilege 2212 Runtime Broker.exe Token: SeDebugPrivilege 4808 Runtime Broker.exe Token: SeDebugPrivilege 3044 Runtime Broker.exe Token: SeDebugPrivilege 4192 Runtime Broker.exe Token: SeDebugPrivilege 4308 Runtime Broker.exe Token: SeDebugPrivilege 1340 Runtime Broker.exe Token: SeDebugPrivilege 2764 Runtime Broker.exe Token: SeDebugPrivilege 4964 Runtime Broker.exe Token: SeDebugPrivilege 5068 Runtime Broker.exe Token: SeDebugPrivilege 4924 Runtime Broker.exe Token: SeDebugPrivilege 4180 Runtime Broker.exe Token: SeDebugPrivilege 3012 Runtime Broker.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2212 Runtime Broker.exe 4808 Runtime Broker.exe 3044 Runtime Broker.exe 4192 Runtime Broker.exe 4308 Runtime Broker.exe 1340 Runtime Broker.exe 2764 Runtime Broker.exe 4964 Runtime Broker.exe 5068 Runtime Broker.exe 4924 Runtime Broker.exe 4180 Runtime Broker.exe 3012 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4580 wrote to memory of 4724 4580 cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe 83 PID 4580 wrote to memory of 4724 4580 cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe 83 PID 4580 wrote to memory of 2212 4580 cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe 85 PID 4580 wrote to memory of 2212 4580 cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe 85 PID 2212 wrote to memory of 968 2212 Runtime Broker.exe 86 PID 2212 wrote to memory of 968 2212 Runtime Broker.exe 86 PID 2212 wrote to memory of 2600 2212 Runtime Broker.exe 89 PID 2212 wrote to memory of 2600 2212 Runtime Broker.exe 89 PID 2600 wrote to memory of 3212 2600 cmd.exe 91 PID 2600 wrote to memory of 3212 2600 cmd.exe 91 PID 2600 wrote to memory of 2160 2600 cmd.exe 92 PID 2600 wrote to memory of 2160 2600 cmd.exe 92 PID 2600 wrote to memory of 4808 2600 cmd.exe 106 PID 2600 wrote to memory of 4808 2600 cmd.exe 106 PID 4808 wrote to memory of 4988 4808 Runtime Broker.exe 107 PID 4808 wrote to memory of 4988 4808 Runtime Broker.exe 107 PID 4808 wrote to memory of 3012 4808 Runtime Broker.exe 110 PID 4808 wrote to memory of 3012 4808 Runtime Broker.exe 110 PID 3012 wrote to memory of 4904 3012 cmd.exe 112 PID 3012 wrote to memory of 4904 3012 cmd.exe 112 PID 3012 wrote to memory of 2764 3012 cmd.exe 113 PID 3012 wrote to memory of 2764 3012 cmd.exe 113 PID 3012 wrote to memory of 3044 3012 cmd.exe 115 PID 3012 wrote to memory of 3044 3012 cmd.exe 115 PID 3044 wrote to memory of 4508 3044 Runtime Broker.exe 116 PID 3044 wrote to memory of 4508 3044 Runtime Broker.exe 116 PID 3044 wrote to memory of 2340 3044 Runtime Broker.exe 120 PID 3044 wrote to memory of 2340 3044 Runtime Broker.exe 120 PID 2340 wrote to memory of 3200 2340 cmd.exe 122 PID 2340 wrote to memory of 3200 2340 cmd.exe 122 PID 2340 wrote to memory of 1320 2340 cmd.exe 123 PID 2340 wrote to memory of 1320 2340 cmd.exe 123 PID 2340 wrote to memory of 4192 2340 cmd.exe 126 PID 2340 wrote to memory of 4192 2340 cmd.exe 126 PID 4192 wrote to memory of 4360 4192 Runtime Broker.exe 127 PID 4192 wrote to memory of 4360 4192 Runtime Broker.exe 127 PID 4192 wrote to memory of 3496 4192 Runtime Broker.exe 130 PID 4192 wrote to memory of 3496 4192 Runtime Broker.exe 130 PID 3496 wrote to memory of 264 3496 cmd.exe 132 PID 3496 wrote to memory of 264 3496 cmd.exe 132 PID 3496 wrote to memory of 5040 3496 cmd.exe 133 PID 3496 wrote to memory of 5040 3496 cmd.exe 133 PID 3496 wrote to memory of 4308 3496 cmd.exe 135 PID 3496 wrote to memory of 4308 3496 cmd.exe 135 PID 4308 wrote to memory of 3116 4308 Runtime Broker.exe 136 PID 4308 wrote to memory of 3116 4308 Runtime Broker.exe 136 PID 4308 wrote to memory of 4948 4308 Runtime Broker.exe 139 PID 4308 wrote to memory of 4948 4308 Runtime Broker.exe 139 PID 4948 wrote to memory of 3064 4948 cmd.exe 141 PID 4948 wrote to memory of 3064 4948 cmd.exe 141 PID 4948 wrote to memory of 4872 4948 cmd.exe 142 PID 4948 wrote to memory of 4872 4948 cmd.exe 142 PID 4948 wrote to memory of 1340 4948 cmd.exe 144 PID 4948 wrote to memory of 1340 4948 cmd.exe 144 PID 1340 wrote to memory of 4880 1340 Runtime Broker.exe 145 PID 1340 wrote to memory of 4880 1340 Runtime Broker.exe 145 PID 1340 wrote to memory of 1940 1340 Runtime Broker.exe 148 PID 1340 wrote to memory of 1940 1340 Runtime Broker.exe 148 PID 1940 wrote to memory of 4912 1940 cmd.exe 150 PID 1940 wrote to memory of 4912 1940 cmd.exe 150 PID 1940 wrote to memory of 3512 1940 cmd.exe 151 PID 1940 wrote to memory of 3512 1940 cmd.exe 151 PID 1940 wrote to memory of 2764 1940 cmd.exe 153 PID 1940 wrote to memory of 2764 1940 cmd.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe"C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyXUgZDLGKCf.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3212
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKW8se4RMPXP.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFbflFnLGBpP.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1320
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K0XI6DvVjpbh.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:264
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5040
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryh0Jqh518Xi.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1ZoxMAeBIwZZ.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3512
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUGsHVCvtJhA.bat" "15⤵PID:2520
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:836
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AogVMM9oqArf.bat" "17⤵PID:4804
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5108
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jgxsugq0r8EA.bat" "19⤵PID:3460
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3472
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QW4VDUyG0Ntu.bat" "21⤵PID:3700
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4180 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCo53XKJR5Mj.bat" "23⤵PID:920
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3128
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V32xP7LBd0MM.bat" "25⤵PID:3044
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
208B
MD583effc6a6dec66dd3785a61a6faac35f
SHA1dc5a996e19247afcdea45a3298b3a9a4ce2d64f6
SHA256caff5b3b27a023716703d576cb26bcaab859ef9905e1c4c681e5cfc9f04ea6c4
SHA5122220042de828ba76a3a1e3357ea626d8b4b738f157cdcc08fe870f01f3a2a3ba038a3656305a00f05c7b189431fe9eac3fe0d2fbb6eab1264eb607c1c6ed2ef2
-
Filesize
208B
MD590f8e8ac46add94c4f78efe41a9f82cc
SHA1bf2d0b20ecea3c71832daf2f0e00b9bb438f41c8
SHA256e7ba1d2c5ba55ecc21dc1404abe49cb799a7f30bcbc795935a62b184d9273d62
SHA512b45cc2a1bab4c5e66aca52d1233c24afd67ce77a2dab2a88cc2a256c5659d94d095e2d9c1768aadecdc9df6900e87caa96b97c59d67975321a5359c459e99358
-
Filesize
208B
MD511a97d2c5d6e68a7814dfd53209cd28e
SHA17861b1e1598ad86955f064f965f6e444200d1294
SHA25694d7b56dd0dd91c6c9ef8e116e02dad7efbf1d4385ed05bbef2e8a0e3d77a90e
SHA512dc27ca36bb536b5a709fc33adbd1a77d1ea17d828076c8de3601f778485570f9ab9f9541eb8121bd07a08a419fd780df51675e1a69b226a550f133e704c1cbcb
-
Filesize
208B
MD5c5d61a839eb3db6999b87db03bcf17cb
SHA12e56f756a33f5aaac147b360a04a7769dada4ece
SHA2565037274ac3fa29e3c3e348310ac30f642fd565709bf67c18354ddf86653d672a
SHA51225d4de68af61a94ff272ac0ca87ae8ac947982bd2a1bf02cffcd1045e090252805e58b516c31781c60dfc687beaa0fb9e7dc4b4b5ce44eef2c06a2e792fc2e4e
-
Filesize
208B
MD5c8131e2ea762e419921c51aeb520ba1a
SHA14ae1aaebd62d474b06d8335e868f6dc4b0ad6369
SHA256ed03dab85e96e4301e24cf2a6e3aa75420f3c435c811fd5cb79e7bca0b20dc1d
SHA5121f8873a605260ac0e4be2517a9f147d8802447fc16ed064490037b7c29905f7ed908a10525d61343071da220e472d725630f7954e7a5c51d6790dea1608a8f3f
-
Filesize
208B
MD5cf371220027ed3600134483ae34a01f8
SHA155e9ee328e8c813cb4c32056097a6d98407e403d
SHA256773ac621a9972bc4ba46fb853fb78d6892d3db88c94278ff4d69a6aec72f8a90
SHA5123db63aec3b968a71d21b50c7b0b9949181d08831210d9be999af353a8d27550f9dd0054be94abc2e56330be1b0fbb038043bea6e9d1fd81049ccc52cf0249470
-
Filesize
208B
MD533931125cf9bb61a4066718d62f274cf
SHA1f0453ab37671b8b58d802c6dadf819d01bb62f4c
SHA2561a603b63d6c7fccc5788edf0c0450c5926ec6bdc5eedb5893f4ceb9455105f0f
SHA512344a956d6f77031adb347224769f31e0b1fa5d8e1869bab969151dea3c288f011e61073ee562212818bf4573450a0ae91e6c90530596a45e8613e1839b09f8a0
-
Filesize
208B
MD50da99a6f22dc8baf7ed345a5a9f3fa7e
SHA18cd50f080457d302c88ab5307152cc31e2df96b6
SHA2560c7c4adbfdc65c76ead23d3606ddfa1d612f6f35e3586a271994ac4a1c573ed2
SHA5128b8f0553b27449f94b9a547f759cb70c0f137d38afa17662c046cb455593e7169718b42f591ca1d38d310e559bedbea6a8ed39de38f3965c5fbb1821578bc58e
-
Filesize
208B
MD5371b8290f6fbd77c12e0deb3d7a17391
SHA174c594f4a5a522dc6d00e57e2bb0ea38e32c713d
SHA256705abb2bf3443e3ce0ac414d941c44d1f2f3ce1f311c06f890c91e3d93e96cc8
SHA5129ef1fcafbf901fcd5a3007d29b30966fdec5cf6ccef62a0fff5de357a1cbf2c6646233f45779b11673c6f1ec19442b94ec4a6621f1cc0839c4b5af6170226748
-
Filesize
208B
MD5aab3ce65d2c4a8f79521d7f605ae6a45
SHA1dbd74a81b92c977983d863b913a8a84432e5c853
SHA256973cd7250047f506555bafc7df3d9302a411de5662c53564386f389d81644883
SHA512a466c6464f3d1fc2f8deb5405af9fc856cbc6294fa46051b2f08c10e09f37ebf96cd08784f8b0f1f3c7d7291d04034fd21a5e30968a90d988f3e215ce189d35f
-
Filesize
208B
MD59a8d62c35b4189474552b28de6148e32
SHA1914868717c05878865e807ee63b254e9e0c6f635
SHA256eefdf6fb409ef74472b95b6559fe6c58d5872839cc13f05c70fca9c53d6e9e4c
SHA5125c8ed4e9128762897c1e8a4f137ba6dd2a2ec632907545aee46dcca033d6cc9d9f5c43b0798bef55442e4a6da26d999d2b15b4f8563eaf3e375f0030e8e2a7ce
-
Filesize
208B
MD5b1dd79bcde8a0c0dae932231314ba618
SHA19cd49a1bbb70496d7a98331107af67dadef96c5c
SHA256f1b749175f8d4ea607497339638a9b719e14ec178b54757e7279c13ff3b1d786
SHA5126a2de4cb9ee6a30991ec3cb61d303f2237162b33af18d7b649f19c1cfefe76b4b3d5cf319edb4abb47861959fb4366fa221680d954a22d40483f3a6a35ff1199
-
Filesize
3.1MB
MD5dd7a806c734df62ecf4802977fa0b3e9
SHA142eae42e0fcfe9d9a54e493a670adde5241377da
SHA256cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
SHA5120f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf