Analysis
-
max time kernel
69s -
max time network
71s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
12/04/2025, 13:44
General
-
Target
Shell.exe
-
Size
8KB
-
MD5
a024c2e0f89f240e545188c367a02329
-
SHA1
e1231801379f99c4d1db1a28b5089965eb61741c
-
SHA256
47a8fdf4fa289cd50105f4682750b7acd151486bad32470898dc8476c20a84a4
-
SHA512
a03b1c0f4908a23b9caeb31521ce94dd0b4873038d6b1ef9e5383cbf5e45ab7b75cd207a7ea00d1a6a519dd9ec96014d6e27004177de0e9a58ce1931c1b7621c
-
SSDEEP
192:olBAe53KHHtze7ODaWGk68bIZGTN6yQr5WEst8fO:8B30tzY37b8bnN6yQr5WEs6f
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RuntimeBroker
C2
went-postcard.gl.at.ply.gg:30089
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
RuntimeBroker.exe
-
copy_folder
RuntimeBroker
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%Temp%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MHXRCK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Hawkeye family
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 61 IoCs
-
Adds Run key to start application 2 TTPs 26 IoCs
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 39 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shell.exe"C:\Users\Admin\AppData\Local\Temp\Shell.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"6⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt7⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exeC:\Users\Admin\AppData\Local\Temp\RuntimeBroker\RuntimeBroker.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa395c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
23KB
MD54c59260dac603cc79d2cb37acd26e0e0
SHA1394adcf63994f791c79ace544e819c9c2b93fc30
SHA256010ad0c0af2253e443ed3e194c91d0f40372b0897a59c3ea033774d0e6b79ddb
SHA5123a115df73930be138b0a13b99b21024f729c3c4b08ef00f4b69edadd598c62d193b0ad88e7dbb20c662a8085bc5f791a7258ca23a309d4040bb0a7a55d5d1764
-
Filesize
469KB
MD57fbe3e9cc91f4d9f79d8c4200463b282
SHA1d9afcc8511a4dec5c81e1fa1e8923001f6491473
SHA2560164e5fc78dab674449fce53be4ad7a0d9ba63619528729d5330558b8def3a30
SHA51257281b8ade7868c4b4e2571377401e4f7a8760decbc97322fae04368719d5f3f54648758ebb2460d29eaaf407e50c7f6f485798045883cc504d3312ffd2e50a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
452B
MD534d38358ee85bbcf4ffe4318beb7b2e6
SHA1b719894fc9167b7777308b64f14c081871ab2a50
SHA256f5b596fdc1ee2dfbf3dd91f75b1f1563a442f584e2df9c1b8e71cc3b06ccbaa0
SHA5126c1208f3e5aa4184e1d7e0df628081bb1816d5b4c61dcc34b16946e892db2ef9ea666e28c96bc16c9726f5669179682d615ad1a3226b61aca3221116be747a46
-
Filesize
84KB
MD5e5de3a4deb24b101a0b2bcd2667194c3
SHA14e78973e515ce0af6acaec9274d9a1f6afbd6de5
SHA256412da0a9a9207e5886c16d4357fa6edf013c8dfa7499e8ed900b6f04822ebb81
SHA5125334920b7c9e341fd8eea8b2fcb57a0d3780d0f982abe0592d096ad6f4172041a3c434382fb67e908617a930b9889e5639d015f6a2370560ac41338640e6a589
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
656KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
208KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
32KB