umbral | c73691a41f00ef9996d4dc6c045630d279e181bad3637b284f60479e62881c0c

Analysis

max time kernel
2s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Z1ON Dot Net Obfuscator.exe
Size

1.9MB
MD5

8ec9b900dbb217f1569c50c14d4adf34
SHA1

d73701be4fc77450549011cc6c19f37feddcf5b4
SHA256

c73691a41f00ef9996d4dc6c045630d279e181bad3637b284f60479e62881c0c
SHA512

4486419c5b338a17e813acbca2a5300ce085e172a588ae93bec3927fada2ad0f763dff34a944370fc350ea48c6ed9752a2da553309fe5cefffb81811eed39f6b
SSDEEP

49152:wZz/tPlg5nvjlIQH6gVTBicEE0ZPnQvEtQo3A:wZTtPaR7d5IRQvQl

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1181926505694105630/CE5sVzq-GthkGDnvcUQZk7Evr9osSekTkqbwPbUukyJDim0j7oTaR65R-5mv1Sfx-3Re

Signatures

Detect Umbral payload 21 IoCs

resource	yara_rule
behavioral1/files/0x000700000002322a-32.dat	family_umbral
behavioral1/memory/3408-33-0x00000210AD360000-0x00000210AD3A0000-memory.dmp	family_umbral
behavioral1/files/0x000700000002322a-102.dat	family_umbral
behavioral1/files/0x000700000002322a-145.dat	family_umbral
behavioral1/files/0x000700000002322a-165.dat	family_umbral
behavioral1/files/0x000700000002322a-186.dat	family_umbral
behavioral1/files/0x000700000002322a-229.dat	family_umbral
behavioral1/files/0x000700000002322a-250.dat	family_umbral
behavioral1/files/0x000700000002322a-272.dat	family_umbral
behavioral1/files/0x000700000002322a-291.dat	family_umbral
behavioral1/files/0x000700000002322a-312.dat	family_umbral
behavioral1/files/0x000700000002322a-333.dat	family_umbral
behavioral1/files/0x000700000002322a-353.dat	family_umbral
behavioral1/files/0x000700000002322a-374.dat	family_umbral
behavioral1/files/0x000700000002322a-394.dat	family_umbral
behavioral1/files/0x000700000002322a-415.dat	family_umbral
behavioral1/files/0x000700000002322a-437.dat	family_umbral
behavioral1/files/0x000700000002322a-458.dat	family_umbral
behavioral1/files/0x000700000002322a-478.dat	family_umbral
behavioral1/files/0x000700000002322a-498.dat	family_umbral
behavioral1/files/0x000700000002322a-519.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4108	schtasks.exe
1628	schtasks.exe
5068	schtasks.exe
3796	schtasks.exe
3416	schtasks.exe
4232	schtasks.exe
232	schtasks.exe
3008	schtasks.exe
3256	schtasks.exe
3264	schtasks.exe
4444	schtasks.exe
3396	schtasks.exe
3564	schtasks.exe
3488	schtasks.exe
2736	schtasks.exe
3748	schtasks.exe
4416	schtasks.exe
508	schtasks.exe
4948	schtasks.exe
3880	schtasks.exe
2716	schtasks.exe
4368	schtasks.exe
4824	schtasks.exe
2588	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
  "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
  2⤵
  PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
    3⤵
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
    "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
    3⤵
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
      "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
      4⤵
      PID:4232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        5⤵
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        5⤵
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        6⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        7⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        7⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        8⤵
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        9⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        9⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        10⤵
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        11⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        11⤵
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        12⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        12⤵
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        13⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        13⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        14⤵
        
        PID:3832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        15⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        15⤵
        
        PID:3800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        16⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        16⤵
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        17⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        17⤵
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        18⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        18⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        19⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        19⤵
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        20⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        20⤵
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        21⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        21⤵
        
        PID:4792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        22⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        22⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        23⤵
        
        PID:4500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        24⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        24⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        25⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        25⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        26⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
        26⤵
        
        PID:1588
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        25⤵
        Creates scheduled task(s)
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        25⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        24⤵
        
        PID:3212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:3392
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        24⤵
        Creates scheduled task(s)
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        23⤵
        
        PID:772
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        23⤵
        Creates scheduled task(s)
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        23⤵
        
        PID:2888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:3412
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        22⤵
        Creates scheduled task(s)
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        22⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:3376
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        21⤵
        Creates scheduled task(s)
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        21⤵
        
        PID:2228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        20⤵
        Creates scheduled task(s)
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        20⤵
        
        PID:3696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        19⤵
        
        PID:812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:3652
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        19⤵
        Creates scheduled task(s)
        
        PID:4948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        18⤵
        Creates scheduled task(s)
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        18⤵
        
        PID:2412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:4020
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        17⤵
        Creates scheduled task(s)
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        17⤵
        
        PID:3880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:4372
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        16⤵
        Creates scheduled task(s)
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        16⤵
        
        PID:2476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        15⤵
        
        PID:184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:5072
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        15⤵
        Creates scheduled task(s)
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        14⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        14⤵
        
        PID:1584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2688
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        14⤵
        Creates scheduled task(s)
        
        PID:3796
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        13⤵
        Creates scheduled task(s)
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        13⤵
        
        PID:3272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:1488
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        12⤵
        
        PID:384
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:4836
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        11⤵
        Creates scheduled task(s)
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        11⤵
        
        PID:4808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        10⤵
        
        PID:3948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        10⤵
        Creates scheduled task(s)
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        10⤵
        
        PID:1040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:184
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        9⤵
        
        PID:4388
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        8⤵
        
        PID:2172
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        8⤵
        Creates scheduled task(s)
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        8⤵
        
        PID:2264
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:4348
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        7⤵
        
        PID:3948
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:1992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
        6⤵
        
        PID:3700
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        6⤵
        
        PID:344
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:5072
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        5⤵
        
        PID:5068
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
      4⤵
      PID:4640
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      4⤵
      PID:2476
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:3964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
    3⤵
    PID:528
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
  2⤵
  PID:2472
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Runtime Broker" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
  2⤵
  PID:3408
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Z1ON Dot Net Obfuscator.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
40b9ac38a232729536f8764039b17139

SHA1
e1c194c09e2ccfb080dcb61b4f3a5b661f82f0af

SHA256
99372ad38570a8021ee6c4f7a41bbc2499eb76381dbd594ea413ec84ded2ccf3

SHA512
b37990cbd31cb9dce8e5c14a8996d88cdaf30dd1c279ed1804b92bd1bdb074f98421d563f26bc68d969df200fb4feb93bb26d9edb01c7bf4583e8cc9fca34887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
179KB

MD5
0c207c98c89b2f9c272fda74daf9b5e4

SHA1
68134effc10eee9b444bb638790f2c75cba9bb42

SHA256
6d3d3a8167ca45753ba2a2ff0abb4e0d2eebb6216d94b43b938be639b944074e

SHA512
6595b2f8e9c451c6a2744e5cce8cb362117a1e35717f5fae098a2c0809bd61aec425e7cec25efa2b2cbe5d3185b735aa43ce5ad6648c213ed61d7a2505574f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
182KB

MD5
969b515bdf1d79338ba6d1059063176f

SHA1
ab7de7ee4e1e8073d7ad03990d90cb02f30dac0d

SHA256
76624c04b8ad99e90df7cdef7826a86010b57c642ba1c700464a5e45d07734a8

SHA512
074555f13660cc7aa1245aeb723e4f5a36910e92c6888d918cea9c32a32bac4fe2c1a36cd9a73544056f0a5061794ac4d50d7f7429b93207355a8406651b9f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
76KB

MD5
6987693ac8d6506d4c60f879159a4e7a

SHA1
8e6514fb3e5c733132887fbc4b33e7863f669eb4

SHA256
64b69fd696da1231b6a3c3fba938af4798c650f0920941bc5f77ac7b153b59ec

SHA512
e04c2584562d1a22512e5ffd3740faf24eb4e3eac6a65ef2b075f8498d4dc994f8c5ec83a2d92625d0b3fedfd3127f792df1bd07e07cef7ca671e3c563554a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
18KB

MD5
07df3491f3f1741dac680e47ee9c1c5c

SHA1
672a5b7227672a69ae512de18ad5ea26b04e0e14

SHA256
03451a851d2ab0d5e539977bc11fc43eef355b7f2270727d7a41e1a0836d5fbd

SHA512
7af307c815a5766622a4ca019503c97f0e16ada85be244dedee6792f97ac38b68d3cc097104b4fa9c901b8b46e6826307879632d9cfba33e247232702dfe1a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
165KB

MD5
eec02a450ca8a646b79370a29707d89e

SHA1
a9513db61af187aebcbbd2134d72bfa73b526e0e

SHA256
5d8e11ff189f456b3b5e85dc4b88a974134a9ca3e640dd44647a62abdd27b423

SHA512
fa9de639b79952e4ccb66b97181b54b3ee45d86b041f70b4742ad364fb6876c00770e495720488a8362f683a8a10a83c82094be7a213e81c707388d8448d364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
42KB

MD5
50989fe376468b2fd81e7e2e0655ff8d

SHA1
69ad24fa93d60a7aa4c06eebaa4f4cbc0ceeece9

SHA256
62b52315bed52e2b151e07d3de7571648852b7c5fc17fe156367bbb4dc0b6b51

SHA512
e76636ec35009b4a847ac881b9d9e5d3239974d436e144f4d74839c83305b8852ce9a210a3da19556d2f74c2f87cc3e4aae36cdaed1b62092ac184970da9d928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
83KB

MD5
0c759c2197783371dfade49038a6175a

SHA1
bebae1195391324bf8085b949200cfc54708de55

SHA256
a53733e4a7149696b83c995cd733ae4cd1ca46a15cb4354bfdadd53981d75d42

SHA512
9687cd351fe496289c15666204dc7b125920d05c5f4b27f0000c6e926d9c8d9506972f3d62e82120fc244a7bad2868f79b5a0a14fdd0d731aef42619b3d5f041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
64KB

MD5
a16fc02b99b2efc8606eb850ec20c965

SHA1
629517d179360f66d853c83a8e72b5fa41bd8b15

SHA256
98d94f98207eaa1b46b4eed7350cfd57b89785b4b4b693e98afdd17edc359ace

SHA512
c8dff0ef86afdb3c232c7f6fde7b5d289cefa5f1479ed888351f3d9c7edf2f7cd4a777b21c320ee8d5cfeb67bede0bc5cef15d21464881f90653d7eda7370763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
17KB

MD5
255c4b07d1f632e1eb124aa4e833883a

SHA1
ab2752b7c98945f31ce238f5a96ef91c6fea1bf5

SHA256
744e8bd5afee5f7a6e0ce9dc29882401d101359d977a7e6c1a515e573c4539dc

SHA512
2a731d7addea0e3fae1380d7588d2e97e8f3307aef1a6f04447e17ee7274a5af274fa9ffe2ff61471eef2ed04a39aed104a289788e39d7b408b59d77fa2c0f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
227KB

MD5
e55e95e9f14ec4f04735dedc53921773

SHA1
39a664bccf3564cc15341e2df671f79efaf599bd

SHA256
f90239f26adcd67c9e71b6ceb2989ba1c2d95c23363816c622f377a763f6d462

SHA512
939b9368259971de2d3ec6e558cdd22f2ee21e7120ab5293873365e2ffb17b069ee81dae559fc00876764e62576e96fe6ec121c9343b4c840ff8b7a414c26cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
85KB

MD5
844ffeefe8b347615cf68a2fce3f01cf

SHA1
114c9b2b5d38536ee82148df397c92ae79122388

SHA256
851376ee4f279fbae81f11ac843e0cfd2829ad2202e78239f2fceb55a1e3bd57

SHA512
fbb41be58e8348e0579c16237e948a6c8cf15dad52bd8776c3fee9d9063e2f015a244d5a18c25effc44187839ac85efdd17db081fe103c08f7b6f2805299b2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
1KB

MD5
3d692cfe37df3e0804abcdc7eab336d1

SHA1
f08bd193bc749c36fc18ce92cc6f5c908c2ae1b1

SHA256
7df9d57e25c6c2498cec41b614033667aa36114251866533f4b8ceb8f27e7c7c

SHA512
931d8d4317d7261065f2a7c330a617a3c50a6577adef2e316fb4ef04424b1805b1ae88a278911a0628b0c8caf46deee2d36d0beac13fef5be34a3cd9ee1f6c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
57KB

MD5
865f608c69df72f1ada27d4715a70b6b

SHA1
4ea9bc4c5304d8a6452c03a3268014c5a055bf8f

SHA256
b11f8fa37af65f44aa36811d0c9a3e286af46d896de90ad60fc4b6d89d7932da

SHA512
481def054b22984ae6948f530c3b32409b3747b82c183f8d933cae7cd94b76ccccea661eb9569cb105647df77fd0a2a8d8d319df974d45b8b1bc9b2ec4f1e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
44KB

MD5
4520b95d6d77dc88afefc40a1397c9e9

SHA1
b322430649b104cf60109d913c3f88d24d3336a0

SHA256
a1805ab4fbefa042863a92fa70366146b6eb346adcfe48728b5d342d37396945

SHA512
8abec4dfca11c420e36eec65ea59f885ba77687e9ec1d7496f557da214ef02ed889ed856e904d4eb86543a322853e3e7c856cc69ee704c702dd58a178f688f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
68KB

MD5
6913d39a7fdf26b4f67fc35e4148f71b

SHA1
907f494b7e38e18472f232f9f4d2c9b068e9297e

SHA256
11f59182cf867e6984e42d4f475dd98626e86210ff3bebed7277bff08344e102

SHA512
f3a4614b711e7a548bbde6659c3efea822600198b8685d48f72314449c183056c544b9b680ea9b13b8c169b1feec9165efd7c607f351dea824f8586e25f1e35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
51KB

MD5
27b4cc9fe365767b2d021614793a60dd

SHA1
0400fc3d449f7b0d047d41ca62bdb36e25e96d85

SHA256
721f1c9d3d1e206de1f1003165736272ba717aecdbb02fab1a3e59679a832bc4

SHA512
19ba5f71262e18785eaa1c22502507ecf10cd20a37c8161b618653ca930d225e6a56969115cd86dc141a69207602f5773059e6cb067aa3a2012ab54fae6e0de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
38KB

MD5
11a263cf217796d5db92e2079208b363

SHA1
56de67d0c302d101e48de786d0a282b60653958e

SHA256
f371319e9d066b3ec33260d76226954a13e9d45cb7423f16084fa484ffa22b25

SHA512
2ac244b2098fc348267eaae018ba44547d414be213eecf2852c3da6effcc6af51b548c1da2d5e869e3ccda16749d030527785b0e18afdd1ceea4c4c24b3a6941

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
148KB

MD5
a9a39eb92f148029aad3bd5ab66c50ca

SHA1
5d4172cd89e0819f236945711acf46e816300280

SHA256
9105fa317292f8ba838d9bdc20f3d4eb2cde18634c9a13139e9c9525051dfc88

SHA512
a140c80d1716db5ee631a10456537522d15e0a15610fb49bb81c07c14fbadb4b730ba317eecc40dd86bf8db54e9ae5283c93e40f6669751bbe940223396f3297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
48KB

MD5
8b9e56f38d7ca7561ea899a3f97de897

SHA1
22bf57b48cab12c2d23898dcc422365f0ff2efe6

SHA256
93a418371770a28e9b96d0862d7f095a3bfdf386cb860c257a0996047ff09be8

SHA512
17738a96c3a18bcfa63723427649aa962445754d83375039fb5f900262ca708d1e469074dcb5d77cd75d1eef85cd5f3a53b719c523a72d77b7735683d8e55d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

Filesize
59KB

MD5
6e498d712e9733ea635dd13601febe3c

SHA1
7e10200ca3500e8e607343a445afca3cbf66b27a

SHA256
3bae6a57b7fc893b2731ffa7c2d4aba331a83b3be0144c896fd1ad3364cd5b05

SHA512
f8a8a48161fb06fedfe52957080b3c923b102b8d53a5a2e585020ee266ebbffdd6b38e9389c2fb95a18492a746600d391112efb1b927173410c5b7a000d5db05

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ew1wj5lb.sd0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/344-128-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/344-127-0x0000025B6EF00000-0x0000025B6EF10000-memory.dmp

Filesize
64KB

Download
memory/344-126-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/528-61-0x00000217C0A00000-0x00000217C0A10000-memory.dmp

Filesize
64KB

Download
memory/528-62-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/528-60-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/812-397-0x000001D35B460000-0x000001D35B562000-memory.dmp

Filesize
1.0MB

Download
memory/1676-140-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1676-81-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1676-41-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1676-142-0x000002C4AF0F0000-0x000002C4AF100000-memory.dmp

Filesize
64KB

Download
memory/1676-63-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

Filesize
64KB

Download
memory/1676-144-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1684-125-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1684-86-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1684-107-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2172-160-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2332-147-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2332-108-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2332-129-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2448-149-0x000000001B730000-0x000000001B740000-memory.dmp

Filesize
64KB

Download
memory/2448-130-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2472-19-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2472-13-0x000001B2797B0000-0x000001B2797D2000-memory.dmp

Filesize
136KB

Download
memory/2472-14-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2472-15-0x000001B2775C0000-0x000001B2775D0000-memory.dmp

Filesize
64KB

Download
memory/2472-16-0x000001B2775C0000-0x000001B2775D0000-memory.dmp

Filesize
64KB

Download
memory/2476-84-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/2476-83-0x000001A2348E0000-0x000001A2348F0000-memory.dmp

Filesize
64KB

Download
memory/2476-82-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3000-3-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3000-59-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3000-39-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/3036-56-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3036-54-0x00000240B8730000-0x00000240B8740000-memory.dmp

Filesize
64KB

Download
memory/3036-53-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3408-33-0x00000210AD360000-0x00000210AD3A0000-memory.dmp

Filesize
256KB

Download
memory/3408-35-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3408-36-0x00000210C7890000-0x00000210C78A0000-memory.dmp

Filesize
64KB

Download
memory/3408-38-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3696-419-0x000002AF604D0000-0x000002AF605D2000-memory.dmp

Filesize
1.0MB

Download
memory/3700-119-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3700-120-0x000001A1D94B0000-0x000001A1D94C0000-memory.dmp

Filesize
64KB

Download
memory/3700-121-0x000001A1D94B0000-0x000001A1D94C0000-memory.dmp

Filesize
64KB

Download
memory/3700-123-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3948-148-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3948-146-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4120-150-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4120-101-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4120-98-0x0000022FE9670000-0x0000022FE9680000-memory.dmp

Filesize
64KB

Download
memory/4120-97-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4120-99-0x0000022FE9670000-0x0000022FE9680000-memory.dmp

Filesize
64KB

Download
memory/4232-85-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/4232-64-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4232-103-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4640-77-0x000001B6732F0000-0x000001B673300000-memory.dmp

Filesize
64KB

Download
memory/4640-79-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4640-75-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4640-76-0x000001B6732F0000-0x000001B673300000-memory.dmp

Filesize
64KB

Download
memory/4804-34-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4804-0-0x0000000000230000-0x0000000000414000-memory.dmp

Filesize
1.9MB

Download
memory/4804-2-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/4804-1-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/5068-106-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/5068-104-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/5068-105-0x000002317CAC0000-0x000002317CAD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads