Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240426-en
General
-
Target
Client.exe
-
Size
380KB
-
MD5
7091d715676e10c44205e6fa7f50b7bd
-
SHA1
a950398047b6b554181538d6e78ada18bfba510e
-
SHA256
23f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
-
SHA512
2fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b
-
SSDEEP
6144:MwZC8z6GIwaC9M1G4TIcgGz+rH4uCBbhZnKMgVia:RZC8OGgt1G4TGY+NCNn4Vi
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\$77fuh.exe" Client.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\$77fuh.exe Client.exe -
Creates scheduled task(s) 1 TTPs 46 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2500 schtasks.exe 4124 schtasks.exe 4392 schtasks.exe 1080 schtasks.exe 1360 schtasks.exe 1372 schtasks.exe 3492 schtasks.exe 5048 schtasks.exe 4632 schtasks.exe 3268 schtasks.exe 2432 schtasks.exe 2520 schtasks.exe 1392 schtasks.exe 2852 schtasks.exe 852 schtasks.exe 4904 schtasks.exe 2264 schtasks.exe 3356 schtasks.exe 4852 schtasks.exe 4220 schtasks.exe 2200 schtasks.exe 1912 schtasks.exe 4524 schtasks.exe 2468 schtasks.exe 2852 schtasks.exe 4376 schtasks.exe 3104 schtasks.exe 4752 schtasks.exe 2260 schtasks.exe 3744 schtasks.exe 1140 schtasks.exe 2052 schtasks.exe 4088 schtasks.exe 4560 schtasks.exe 988 schtasks.exe 3144 schtasks.exe 1528 schtasks.exe 2656 schtasks.exe 1488 schtasks.exe 2656 schtasks.exe 4316 schtasks.exe 2488 schtasks.exe 1916 schtasks.exe 3332 schtasks.exe 4100 schtasks.exe 4508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe 3808 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3808 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3808 wrote to memory of 3332 3808 Client.exe 91 PID 3808 wrote to memory of 3332 3808 Client.exe 91 PID 3808 wrote to memory of 3228 3808 Client.exe 92 PID 3808 wrote to memory of 3228 3808 Client.exe 92 PID 3332 wrote to memory of 4904 3332 CMD.exe 95 PID 3332 wrote to memory of 4904 3332 CMD.exe 95 PID 3228 wrote to memory of 2264 3228 CMD.exe 96 PID 3228 wrote to memory of 2264 3228 CMD.exe 96 PID 3808 wrote to memory of 4308 3808 Client.exe 98 PID 3808 wrote to memory of 4308 3808 Client.exe 98 PID 4308 wrote to memory of 2260 4308 CMD.exe 100 PID 4308 wrote to memory of 2260 4308 CMD.exe 100 PID 3808 wrote to memory of 4396 3808 Client.exe 101 PID 3808 wrote to memory of 4396 3808 Client.exe 101 PID 4396 wrote to memory of 1360 4396 CMD.exe 103 PID 4396 wrote to memory of 1360 4396 CMD.exe 103 PID 3808 wrote to memory of 4032 3808 Client.exe 106 PID 3808 wrote to memory of 4032 3808 Client.exe 106 PID 4032 wrote to memory of 2468 4032 CMD.exe 108 PID 4032 wrote to memory of 2468 4032 CMD.exe 108 PID 3808 wrote to memory of 2448 3808 Client.exe 109 PID 3808 wrote to memory of 2448 3808 Client.exe 109 PID 2448 wrote to memory of 2852 2448 CMD.exe 111 PID 2448 wrote to memory of 2852 2448 CMD.exe 111 PID 3808 wrote to memory of 3856 3808 Client.exe 113 PID 3808 wrote to memory of 3856 3808 Client.exe 113 PID 3856 wrote to memory of 3356 3856 CMD.exe 115 PID 3856 wrote to memory of 3356 3856 CMD.exe 115 PID 3808 wrote to memory of 380 3808 Client.exe 116 PID 3808 wrote to memory of 380 3808 Client.exe 116 PID 380 wrote to memory of 2488 380 CMD.exe 118 PID 380 wrote to memory of 2488 380 CMD.exe 118 PID 3808 wrote to memory of 3712 3808 Client.exe 119 PID 3808 wrote to memory of 3712 3808 Client.exe 119 PID 3712 wrote to memory of 4852 3712 CMD.exe 121 PID 3712 wrote to memory of 4852 3712 CMD.exe 121 PID 3808 wrote to memory of 4520 3808 Client.exe 122 PID 3808 wrote to memory of 4520 3808 Client.exe 122 PID 4520 wrote to memory of 1916 4520 CMD.exe 124 PID 4520 wrote to memory of 1916 4520 CMD.exe 124 PID 3808 wrote to memory of 3192 3808 Client.exe 125 PID 3808 wrote to memory of 3192 3808 Client.exe 125 PID 3192 wrote to memory of 4220 3192 CMD.exe 127 PID 3192 wrote to memory of 4220 3192 CMD.exe 127 PID 3808 wrote to memory of 1220 3808 Client.exe 128 PID 3808 wrote to memory of 1220 3808 Client.exe 128 PID 1220 wrote to memory of 988 1220 CMD.exe 130 PID 1220 wrote to memory of 988 1220 CMD.exe 130 PID 3808 wrote to memory of 3384 3808 Client.exe 131 PID 3808 wrote to memory of 3384 3808 Client.exe 131 PID 3384 wrote to memory of 2200 3384 CMD.exe 133 PID 3384 wrote to memory of 2200 3384 CMD.exe 133 PID 3808 wrote to memory of 3076 3808 Client.exe 134 PID 3808 wrote to memory of 3076 3808 Client.exe 134 PID 3076 wrote to memory of 4376 3076 CMD.exe 136 PID 3076 wrote to memory of 4376 3076 CMD.exe 136 PID 3808 wrote to memory of 4008 3808 Client.exe 137 PID 3808 wrote to memory of 4008 3808 Client.exe 137 PID 4008 wrote to memory of 3332 4008 CMD.exe 139 PID 4008 wrote to memory of 3332 4008 CMD.exe 139 PID 3808 wrote to memory of 4064 3808 Client.exe 140 PID 3808 wrote to memory of 4064 3808 Client.exe 140 PID 4064 wrote to memory of 2500 4064 CMD.exe 142 PID 4064 wrote to memory of 2500 4064 CMD.exe 142 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe"3⤵
- Creates scheduled task(s)
PID:4904
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2264
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2260
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1360
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2468
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1916
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4220
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:988
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2200
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3332
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2500
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3744
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:5004
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2432
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4952
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3144
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4124
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3788
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2520
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4292
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1528
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3392
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1372
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4100
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3456
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2656
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3632
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4508
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4872
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1140
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1304
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2052
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1912
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4224
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3492
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:648
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:5052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5048
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3184
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4088
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4064
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1080
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1644
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4632
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4524
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4440
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3344
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3268
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4060
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3104
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4936
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3264
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2656
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4844
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4752
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4560
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4568
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4316
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD57091d715676e10c44205e6fa7f50b7bd
SHA1a950398047b6b554181538d6e78ada18bfba510e
SHA25623f43cc11c07245b3c5c14333a53b97330ebd7afa4a893245834fbebfa967d88
SHA5122fd66a8fd5b4d0f1ef52f6cd89b8e14936b56fdb967a83382d8081e67fbbabdb609decef98d19c8caebcc1b5b9bcc3cbaa0209112c9c081556ff87bfcdf7308b