Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-03-2024 01:30
General
-
Target
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
-
Size
3.3MB
-
MD5
1d6590415fa189e9c982e883dc3bcdde
-
SHA1
8261a5718af6eb9ebee4e822e5bd0138f7915dc3
-
SHA256
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
-
SHA512
304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e
-
SSDEEP
98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 2 IoCs
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe"C:\Users\Admin\AppData\Local\Temp\7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Saransk.exe"C:\Users\Admin\AppData\Local\Temp\Saransk.exe"2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Chainnet\hyperInto.exe"C:\Chainnet\hyperInto.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UEiHGLQwOy.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3a6815f-e9bc-40dd-b24b-16053caee7f4.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5ab1021-7e54-440f-b1c1-19bf6ae44f3d.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3bab190-de99-45cb-af9d-f40b69f6f6f6.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381ec769-6112-4bf5-81ac-c323fb975929.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c04f02b6-e914-4e02-9a41-f2117b491ac9.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67404d91-8dcd-4feb-9055-857de0821b1d.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01f9198-b15d-4c4e-bd2c-bb775b4b49d7.vbs"20⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab88f1cc-e606-491b-b4e5-6a43b9940e08.vbs"22⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3262af31-ede3-49c0-a791-5de3574908c3.vbs"24⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dcbe35c-15e2-40cf-aef0-4a0db72d477e.vbs"26⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ac3b59-4315-4be0-86fd-51744bf0bd7c.vbs"28⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa41bc39-db54-4360-b43f-649b28dff9d6.vbs"30⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d807a613-f9e3-4790-8998-dc86d2d8ece3.vbs"32⤵
-
C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe"33⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbc1deab-6d55-4f73-b298-a0f3a1a5435a.vbs"34⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f8eb04-ee16-43ce-84ab-40dcd1281813.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5105e81-7f08-4321-a0e5-0bd7abe7bf51.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fd576c-0d86-4ab9-bbf3-3e20c4b4d13f.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ce969c4-1bcd-4f7e-b2eb-01d43caeccc6.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641aebe9-3bb0-4d9c-be97-a7129cb78055.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bd1afce-b368-4328-be7d-8642a4954317.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64c2ff7e-1386-4d15-8858-06b6ae7adc17.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8415df6-d154-4df3-9c3d-542cfb45f0d6.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04034702-5fa1-4d18-a9b9-843aa88ebcb2.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ea41581-dadb-4ef6-b103-61e9138a4b41.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c12524-6b4d-47ea-9fc8-b9e39908d38c.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\030e5cb9-6028-4cd1-8f9e-6221007a92b4.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd340eb3-d39b-4f5f-93be-a81027de50b2.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7933744a-0d18-4a4a-856a-4b20f7a7e4b6.vbs"8⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Chainnet\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Chainnet\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Chainnet\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\Acrobat\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Quirky\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Quirky\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Chainnet\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\odt\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Chainnet\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Chainnet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Chainnet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\pris\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\pris\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5b3080903ab3740f3f1346f2f61834c2b
SHA1a5b37c9ea7a58c9194de44382d75dc4863d3d5b7
SHA256505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1
SHA512a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419
-
Filesize
3.4MB
MD5d63861446161da73423a6378ab06af5e
SHA18d3116fa2ac5d4e7fb9684498f69edf3e976f977
SHA256c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd
SHA5127bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
2.7MB
MD5a7ae60d2cbf4ac3ac2d03ba648b5df36
SHA1f88e80af139107d193351099cd7ef0030812deae
SHA25621168d9d6e22fc0ed2fd6ce715725c543babaddc29124495b8a5c554f8a95412
SHA512227042db19298ae6d2c7ae0d2954f9ab4f6e8590739def91d8879919adc99eebec305a63dd0634e1d058e14586c0af7288bfaaafc6852bda27f72fc47bda3df6
-
Filesize
2.1MB
MD502aba8a0005cdfdc3c77811e714110cd
SHA1cf28ec5bf878524e1ba5bccfef7e21a635c5c7e8
SHA25638b98e856304c84b59cf81b746944b0d4977ca380e0a07919706ca706add9f5a
SHA5120363cd666311fa7bee15cf2deb1d054decf4f3c33d3a2289c26cf097bbf69eb514246077a01db1a9e703358791f85e1da5df94c5c87222d05445d8571eff6001
-
Filesize
27B
MD594db4d897ca54289c945a06574084128
SHA1d4168950c994dacea1402a9570a4735350b86c10
SHA256a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461
SHA5122548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a
-
Filesize
2.5MB
MD5ac66a649203a68e95f88a862ea8addb0
SHA13f648227d32f9225889275fd5d699d4c53c6a7bd
SHA25635642eb652de90d8e7ec77b570ff8a64b4f5be3051261fade7b0a61f3e4e5ad9
SHA5122bfaba9a758ca4557103335d011686c1b566098ee343e2407641242499f5cfab0bdf605e95108e5433a3e2ee8c1cd19218114ba2cf2ccc3adab16a72c33c7269
-
Filesize
2.0MB
MD53e1bfaa8a58d382bcc005652b29879ae
SHA15caac9966ac9b9af7719a17adbf4777ee21377d1
SHA256aa83314101a8dfece421da3ee9d3eb446989d19bd268053fa97a780744b52eb8
SHA5126f4a5e7ca58e28e3d485cfb290eb923cc8089dac3f2e45b898498704dc0a2e9c1da69b81b350362d40bef61a65b71a9e988d9d6a620c7f2c7afe2a6ff173ac01
-
Filesize
1.1MB
MD58fec55f8dbe09e9d9c3eb78ba5311cf1
SHA14ffe40fe68d2a279bfce9c7e4e3c460f4dcc64f4
SHA2562cdb6434706507b242848035471b09d0a6e1b31bd9d6c42cb3749772f0349e8d
SHA512e93a4a9b57c69e52cbb3773ac31b1bfa746fd3dc47b6bb56b008663bdb194e832047eb4c346f24aee36f78fe480d8ab4d20ac916c5834632d16acfe52d544560
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
732B
MD59284dbfba37daabdb3892a093fc40b69
SHA14f9e7c3fc818f32b24f27cb78f51e38c92ec2a62
SHA25625f1e4c4c94479d860a646fb164c6b5581ed7073fa881f67b569aa6f87df1650
SHA5129eb4dc5907e7fbf4edfb4d95a9246a83e7806c97490a4db07b962868c99a2c90096903354be9ddce1530e69b8920190418fc70f4da3c2451fe424bc338b93b95
-
Filesize
733B
MD5945bf3a6506978d55e5406fb5c3772f8
SHA17c67485ec9111b53613efa7c248cb9de9feb6c3d
SHA256a941075c170b3b6be9f7b74cb7425c361fc71983bd93c4fee4995a85b9475675
SHA512661a171de3828e897ea08728b6727f486e9597db0d7f64be0c698800b1f2be9ece5c9c8ae26dadfc4d5948fe5d36bca31a32c649417971963e0ab3d91371142a
-
Filesize
733B
MD50dbb246041b2db0140b1292723008703
SHA16bf621c0c7bfd1f185fc8b6d2d7ccd0171fbf4f1
SHA256e85566131dc3e0f929e5dfc211adc3cc1b6277ec71c464e5fc994cbc0ae37d95
SHA51255e9a8db535c4ff1e124f0992ca2caa7687b10a5ce4c59cbfa3ac66b2522435a93ae213172df6b3dd7d8d20ba897ee3ef530eacb12ab72fce95c6029cfada3ac
-
Filesize
733B
MD5aebec4ae8a9f97d9bce2089254884ab8
SHA1b8286906c03199945325ef8075dcafcacad24eda
SHA2566a8c754c678b0655e60a2652b87d4ada3ea74ebae640c9692987bf0f51febef8
SHA51231e3b0eb106ca60d205214e3dc8c0f51ddcb6448967706d6bbcb113fc8e78be0b8da5fad9c8b51f828cc6ed78adc360d7e3e30946c0e1f4369f3fa866cbb3c79
-
Filesize
733B
MD5a4c93f39c86be094b86d8ef3332cba69
SHA189068c0507199c3a61f2625f389fca23d5e41f32
SHA256fdc086b691ed06d81884ab1271e5997aa547a5afa822d0c4ade40601225eb6e3
SHA512ec252b214d8796749f61fe0f1f408b56b046202b4ab5dab1f6d777017d6c4b7e5de7248f168cf99bf8e50089050638e78aa518dcaf55a16472df597222cea477
-
Filesize
509B
MD587b492336f048b32f6114d896084b0c3
SHA12b8f5235125b29370e88f6f162e0f5f86600a22f
SHA2568fee0e618b1871b5794d378c0dec1b2381ba038122c15a13c85a3901a440c747
SHA51205659c409534e50a80d90aa4f525517fe64c90ad97e183dd4113b7257a25592b5414f903109d078d26730a4375b411e530afc0d444f7e8ecb8548a7205963cff
-
Filesize
3.7MB
MD5323e22b442e4d4f9930c5b65f6d1028c
SHA17dadf78756dd00c68d5094a59dc7bcccf3c8346d
SHA256eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00
SHA5122da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e
-
Filesize
227KB
MD505c183f8c0d871d6081f1ea4096805e4
SHA14a05aba815c8471fca4fcc9a789683385b0c24ca
SHA256eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849
SHA512ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347
-
Filesize
222B
MD5c34b5d65a8a54fb597adb4cf3d06d8b0
SHA184a257e31c5717471b29ad76cfaae30198aaf8e6
SHA2563142e487cb0cd66b0753fce5c555ad4ce7cd3df3345be71beba3c875cc3a5eab
SHA5129c8203a1ec6a1bf139e5a20377021eace52865601da2a553159cf8584821b33b45f38f0a1c414d281592db8be18cc585e595aa348d0f32805e486c5791e671ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
733B
MD5799ab0567ee22124eef57482985f6a32
SHA1dd05434eae0facc5ea5baec50135493b869bad26
SHA2561107bb48883c5915f61e18bc1ddcf5b1e4d41eea752abc8791455fe4130ab8cf
SHA51226a9b906911f16aace544210677437b0e3054fd4a75ea22ef64d5338c81949b2b769863f6e4e36de46cfa3c05dba24acb48a063aacb01725e80e1cff68fe0c54
-
Filesize
733B
MD50dbf5b39774ad4d5fcda79a252b9d0cd
SHA1713986b0aa46ecdb271280bec95f77c84056d58d
SHA2564ed096af89480279a43426f7e7861f9e6ba4ffcd8f26ed39fc0f84053b7bbc8d
SHA512b4fd4a679eb24bbaebb0073184d444c0ff2c292ddffe96f9473247c63b61dae57cc58c5b5b21fbc685f4ea38f4284e9e122afceeef6a0ad762fa805adde4110a
-
Filesize
733B
MD5d3fdc9d5d2af906852ee0284f3cb74e0
SHA169ea7d3a08aa4e6c2573bbcde23ad402b791236c
SHA25608e9ef91d3815f0ed30868055763341a76ebed45a3520e50ef87d1f8482058de
SHA512b762fe4f45994cc347cb882892ce07079fc2ab3687a7d852b3954430ca9bfb5b7e304b310748afb8ae0da85ce941a9ee40949077a5fa0dc99c9e2ac6599fde52
-
Filesize
733B
MD5ebd9e595cd4c171da889e88694ed8615
SHA195d46928743d8cac322b56f2042cbdb9de7bfb7b
SHA256d8419ef4dae98c6a70c01d194730c2d58a12ad5c2a995858af712829ace45f34
SHA512489387e4568e7cc860b1de4697e33bfea304d1d6fa9e6093c6eb188b16c8d1a1bcec1f348c213e633ff9cfe433f34652d4817afa90bb752e7b2496c75103ec3a
-
Filesize
733B
MD5368f7eedd0bf3424bceb5a0624592eeb
SHA1fe04dc93a73ef4515be6a958e09150b07e713d1d
SHA256121631ee9c7bfab3933c996ef3d7eb9aa4ecf21473ccdacf5da5e833b91c8acb
SHA512965aa094c8b3af34b53ceedcadede6d8819fad8aef1bdd373d3f11a30aacdc5928fb9c1ad802c560b15279d405b96f52fab44b0382ad31641e55ef2522203059
-
Filesize
733B
MD585d5993791942f426a44380d3564f795
SHA12b3ab8a3a910d3b332a0087513b606159f16a327
SHA2568e8de08695196e8b1724303fbc4effd00ee18199eea902bba591ff092d017a30
SHA51210beeaf4d4a3e1f0874de678d70ed2046b534534855c84d882ad8c9e54588a6c3a3a7644a67f70ecaf5fd5274e7aa02edc4f69d03357ed606271ded0e656fd34
-
Filesize
733B
MD5b19f224a6a82baefa9db43c474cdf209
SHA1de589b8e8deff7fd9a61013b07f9c7461fe2ea31
SHA2569ce8e17fd296c28cd0f867bba1a74542775d36394342e1cfc2c2ef3c0336edb2
SHA5129e4687f69d9e38543afc10d9f9f1a51b60987c2ec5b7b638d1215044cf9eb140a0eb36704b21977f9aa1013d9851b6676920fe2fb5ee3fe48b0b0736ed0480b1
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
3.4MB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB