Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
4efce9b6099fa6bfc272b5e192fe16cc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4efce9b6099fa6bfc272b5e192fe16cc.exe
Resource
win10v2004-20240508-en
General
-
Target
4efce9b6099fa6bfc272b5e192fe16cc.exe
-
Size
8.3MB
-
MD5
4efce9b6099fa6bfc272b5e192fe16cc
-
SHA1
d5495d7d0593a0258bb50325eb0381cec5decd19
-
SHA256
185d297d3a204b586f262ce576bc40127b6ea49561b07c7e40c0a2e779df03e1
-
SHA512
0b81846c316c3790b1d3fd88953d7c9350443d8dd34cbf4311677e5706b59f4e8b0819186f7cb81b980bab88b9aa6802170536d50a989f081b0aacb68f58ca5f
-
SSDEEP
196608:UB4vMWmmF95vrRoypY2xNS+U1kYLLBGJt4qi5Wh4d3J4jtQG0gIe:UevBn5viETxNS+5OBU4hat0gI
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1244715424420069449/GTIFnC19DnPwT_RfLQ395m4ILCbNzqdjl2fE6jLwJomWdfGuqMipwhUem4c7oUOG5y7l
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00170000000155d9-18.dat family_umbral behavioral1/memory/2912-21-0x0000000001300000-0x0000000001340000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\MicrosoftSecurity.exe" Client.exe -
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2868 Nezur.exe 2688 Client.exe 2912 Umbral.exe -
Loads dropped DLL 2 IoCs
pid Process 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 3052 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Chrome.exe" Client.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xdwd.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 41 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2348 schtasks.exe 2424 schtasks.exe 1700 schtasks.exe 808 schtasks.exe 2408 schtasks.exe 1088 schtasks.exe 1944 schtasks.exe 1924 schtasks.exe 2800 schtasks.exe 2192 schtasks.exe 1028 schtasks.exe 972 schtasks.exe 2804 schtasks.exe 2224 schtasks.exe 3012 schtasks.exe 2820 schtasks.exe 2240 schtasks.exe 2876 schtasks.exe 2972 schtasks.exe 576 schtasks.exe 1204 schtasks.exe 1648 schtasks.exe 1724 schtasks.exe 320 schtasks.exe 1996 schtasks.exe 312 schtasks.exe 2648 schtasks.exe 2280 schtasks.exe 1348 schtasks.exe 844 schtasks.exe 2888 schtasks.exe 1428 schtasks.exe 836 schtasks.exe 1796 schtasks.exe 776 schtasks.exe 2284 schtasks.exe 2288 schtasks.exe 1724 schtasks.exe 1172 schtasks.exe 1728 schtasks.exe 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 CMD.exe 1728 schtasks.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 2688 Client.exe 1576 WmiApSrv.exe 2124 CMD.exe 576 schtasks.exe 1348 CMD.exe 1204 schtasks.exe 2840 CMD.exe 776 schtasks.exe 2740 CMD.exe 2876 schtasks.exe 2252 CMD.exe 2496 schtasks.exe 2776 CMD.exe 2648 schtasks.exe 2552 CMD.exe 1428 schtasks.exe 2084 CMD.exe 808 schtasks.exe 1104 CMD.exe 1648 schtasks.exe 1316 CMD.exe 836 schtasks.exe 792 CMD.exe 2288 schtasks.exe 2744 CMD.exe 2800 schtasks.exe 2980 CMD.exe 2240 schtasks.exe 2636 CMD.exe 2192 schtasks.exe 2796 CMD.exe 1724 schtasks.exe 908 CMD.exe 1028 schtasks.exe 788 CMD.exe 2280 schtasks.exe 952 CMD.exe 1088 schtasks.exe 1788 CMD.exe 2284 schtasks.exe 2084 CMD.exe 1348 schtasks.exe 1604 CMD.exe 1944 schtasks.exe 1376 CMD.exe 2408 schtasks.exe 2664 CMD.exe 2348 schtasks.exe 2532 CMD.exe 1796 schtasks.exe 1148 CMD.exe 1172 schtasks.exe 2052 CMD.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2688 Client.exe Token: SeDebugPrivilege 2912 Umbral.exe Token: SeIncreaseQuotaPrivilege 2436 wmic.exe Token: SeSecurityPrivilege 2436 wmic.exe Token: SeTakeOwnershipPrivilege 2436 wmic.exe Token: SeLoadDriverPrivilege 2436 wmic.exe Token: SeSystemProfilePrivilege 2436 wmic.exe Token: SeSystemtimePrivilege 2436 wmic.exe Token: SeProfSingleProcessPrivilege 2436 wmic.exe Token: SeIncBasePriorityPrivilege 2436 wmic.exe Token: SeCreatePagefilePrivilege 2436 wmic.exe Token: SeBackupPrivilege 2436 wmic.exe Token: SeRestorePrivilege 2436 wmic.exe Token: SeShutdownPrivilege 2436 wmic.exe Token: SeDebugPrivilege 2436 wmic.exe Token: SeSystemEnvironmentPrivilege 2436 wmic.exe Token: SeRemoteShutdownPrivilege 2436 wmic.exe Token: SeUndockPrivilege 2436 wmic.exe Token: SeManageVolumePrivilege 2436 wmic.exe Token: 33 2436 wmic.exe Token: 34 2436 wmic.exe Token: 35 2436 wmic.exe Token: SeIncreaseQuotaPrivilege 2436 wmic.exe Token: SeSecurityPrivilege 2436 wmic.exe Token: SeTakeOwnershipPrivilege 2436 wmic.exe Token: SeLoadDriverPrivilege 2436 wmic.exe Token: SeSystemProfilePrivilege 2436 wmic.exe Token: SeSystemtimePrivilege 2436 wmic.exe Token: SeProfSingleProcessPrivilege 2436 wmic.exe Token: SeIncBasePriorityPrivilege 2436 wmic.exe Token: SeCreatePagefilePrivilege 2436 wmic.exe Token: SeBackupPrivilege 2436 wmic.exe Token: SeRestorePrivilege 2436 wmic.exe Token: SeShutdownPrivilege 2436 wmic.exe Token: SeDebugPrivilege 2436 wmic.exe Token: SeSystemEnvironmentPrivilege 2436 wmic.exe Token: SeRemoteShutdownPrivilege 2436 wmic.exe Token: SeUndockPrivilege 2436 wmic.exe Token: SeManageVolumePrivilege 2436 wmic.exe Token: 33 2436 wmic.exe Token: 34 2436 wmic.exe Token: 35 2436 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2868 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 28 PID 2756 wrote to memory of 2868 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 28 PID 2756 wrote to memory of 2868 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 28 PID 2756 wrote to memory of 2688 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 30 PID 2756 wrote to memory of 2688 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 30 PID 2756 wrote to memory of 2688 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 30 PID 2756 wrote to memory of 2912 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 31 PID 2756 wrote to memory of 2912 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 31 PID 2756 wrote to memory of 2912 2756 4efce9b6099fa6bfc272b5e192fe16cc.exe 31 PID 2912 wrote to memory of 2436 2912 Umbral.exe 33 PID 2912 wrote to memory of 2436 2912 Umbral.exe 33 PID 2912 wrote to memory of 2436 2912 Umbral.exe 33 PID 2688 wrote to memory of 2656 2688 Client.exe 37 PID 2688 wrote to memory of 2656 2688 Client.exe 37 PID 2688 wrote to memory of 2656 2688 Client.exe 37 PID 2656 wrote to memory of 2820 2656 CMD.exe 39 PID 2656 wrote to memory of 2820 2656 CMD.exe 39 PID 2656 wrote to memory of 2820 2656 CMD.exe 39 PID 2688 wrote to memory of 2328 2688 Client.exe 40 PID 2688 wrote to memory of 2328 2688 Client.exe 40 PID 2688 wrote to memory of 2328 2688 Client.exe 40 PID 2328 wrote to memory of 312 2328 CMD.exe 42 PID 2328 wrote to memory of 312 2328 CMD.exe 42 PID 2328 wrote to memory of 312 2328 CMD.exe 42 PID 2688 wrote to memory of 1740 2688 Client.exe 43 PID 2688 wrote to memory of 1740 2688 Client.exe 43 PID 2688 wrote to memory of 1740 2688 Client.exe 43 PID 1740 wrote to memory of 1728 1740 CMD.exe 45 PID 1740 wrote to memory of 1728 1740 CMD.exe 45 PID 1740 wrote to memory of 1728 1740 CMD.exe 45 PID 2688 wrote to memory of 2124 2688 Client.exe 47 PID 2688 wrote to memory of 2124 2688 Client.exe 47 PID 2688 wrote to memory of 2124 2688 Client.exe 47 PID 2124 wrote to memory of 576 2124 CMD.exe 49 PID 2124 wrote to memory of 576 2124 CMD.exe 49 PID 2124 wrote to memory of 576 2124 CMD.exe 49 PID 2688 wrote to memory of 1348 2688 Client.exe 50 PID 2688 wrote to memory of 1348 2688 Client.exe 50 PID 2688 wrote to memory of 1348 2688 Client.exe 50 PID 1348 wrote to memory of 1204 1348 CMD.exe 52 PID 1348 wrote to memory of 1204 1348 CMD.exe 52 PID 1348 wrote to memory of 1204 1348 CMD.exe 52 PID 2688 wrote to memory of 2840 2688 Client.exe 53 PID 2688 wrote to memory of 2840 2688 Client.exe 53 PID 2688 wrote to memory of 2840 2688 Client.exe 53 PID 2840 wrote to memory of 776 2840 CMD.exe 55 PID 2840 wrote to memory of 776 2840 CMD.exe 55 PID 2840 wrote to memory of 776 2840 CMD.exe 55 PID 2688 wrote to memory of 2740 2688 Client.exe 56 PID 2688 wrote to memory of 2740 2688 Client.exe 56 PID 2688 wrote to memory of 2740 2688 Client.exe 56 PID 2740 wrote to memory of 2876 2740 CMD.exe 58 PID 2740 wrote to memory of 2876 2740 CMD.exe 58 PID 2740 wrote to memory of 2876 2740 CMD.exe 58 PID 2688 wrote to memory of 2252 2688 Client.exe 59 PID 2688 wrote to memory of 2252 2688 Client.exe 59 PID 2688 wrote to memory of 2252 2688 Client.exe 59 PID 2252 wrote to memory of 2496 2252 CMD.exe 61 PID 2252 wrote to memory of 2496 2252 CMD.exe 61 PID 2252 wrote to memory of 2496 2252 CMD.exe 61 PID 2688 wrote to memory of 2776 2688 Client.exe 62 PID 2688 wrote to memory of 2776 2688 Client.exe 62 PID 2688 wrote to memory of 2776 2688 Client.exe 62 PID 2776 wrote to memory of 2648 2776 CMD.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efce9b6099fa6bfc272b5e192fe16cc.exe"C:\Users\Admin\AppData\Local\Temp\4efce9b6099fa6bfc272b5e192fe16cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Ableton Live" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe"4⤵
- Creates scheduled task(s)
PID:2820
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:312
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Chrome.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Adobe Premiere Pro" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Chrome.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1204
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:808
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:792 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:788 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:972
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1156
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2284
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:844
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2656
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2808
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2888
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2384
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2972
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2424
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1036
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2224
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:2028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1700
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1924
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:320
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1360
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:1996
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST & exit3⤵PID:1512
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "XAMPP" /tr "C:\Users\Admin\Videos\MicrosoftSecurity.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
578KB
MD51984de1def2a649295eb4683cef7b145
SHA1b3772c1d98f1d18bafd8cf4781f65fc17f20811a
SHA256ad1ca0ede87c65ab25cca6d7899da474b27ee5631e55c21120e857d16b9802b2
SHA5128b64bec1f124bfe5df9e3b8f7fcae5921836604c67e537445c48bcc2b7ac0b71d00fc7c8f8609799577bce4cdf24bed38eb0c23bb537881c74216f416a665a65
-
Filesize
230KB
MD59e9bbff99af7ac67d8bd79f854bd569c
SHA1cce432ed7fc4aa23daf8311e2ef3ea2f056c1ca6
SHA256e0465af4219a63f50e3a44f579d27dc9a0188797faf7f614b5f2ecc1d899a24c
SHA5127b70e1cd5b900aa16894c5cd13925f799d59e11fc3113adeeaf4d770e27b4088546f8e21c674d3aed3c13ccc06c04c22a2d54c8286dda28fee77fd0fd1a870b8
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
7.9MB
MD5754c5ad19cb3bc21a58bccf028bc2b86
SHA166fe0f66d80023b347707248abe6e44e5f9d98ce
SHA2568445e6223a5f1b7f33b0320560b34139ab758006ed4492f581e2b90d3e104f5b
SHA512fdbbfbc10c58e909da664e643bffbe640b4b3242df0da2d5bd40d9691f96ce6cca4c27e166dff7e290b3a5f012b0a3e135e1650bf61a7484253c59cc54177790