Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240611-en
General
-
Target
Client.exe
-
Size
374KB
-
MD5
a5b3f4e49fb95e2c97fda3e559bcdfb7
-
SHA1
144e2bbc1a63a616af95b80a86d00de020f56802
-
SHA256
70b9e863db74948ad712ccfc04ea1a4c9b9b221a56c4b71f5ee4f5b891be3782
-
SHA512
6bc9c5e5e26bfa563654342a1366f14f7a5ffb2e399cbb7cca3e6f75baebd09e5119cd931b1da1dcc6a5edfa82af432183e5c32b39f7a406972fcbfdb0d84bd4
-
SSDEEP
6144:nmN0/Sl+zgQS3TTdvQNxlZiYzVcUCNcIub9:mqSOxlvSBNc9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\$77fuh.exe" Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\123 = "C:\\Program Files\\$77fuh.exe" Client.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\$77fuh.exe Client.exe File opened for modification C:\Program Files\$77fuh.exe Client.exe -
Creates scheduled task(s) 1 TTPs 41 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2992 schtasks.exe 376 schtasks.exe 640 schtasks.exe 1076 schtasks.exe 4552 schtasks.exe 1940 schtasks.exe 5092 schtasks.exe 2880 schtasks.exe 3468 schtasks.exe 4744 schtasks.exe 4424 schtasks.exe 1168 schtasks.exe 3964 schtasks.exe 4580 schtasks.exe 912 schtasks.exe 1412 schtasks.exe 4824 schtasks.exe 1288 schtasks.exe 1360 schtasks.exe 1940 schtasks.exe 3464 schtasks.exe 1108 schtasks.exe 3376 schtasks.exe 2992 schtasks.exe 3564 schtasks.exe 1488 schtasks.exe 1112 schtasks.exe 1308 schtasks.exe 4900 schtasks.exe 3700 schtasks.exe 4060 schtasks.exe 4800 schtasks.exe 4220 schtasks.exe 4536 schtasks.exe 1376 schtasks.exe 4384 schtasks.exe 4048 schtasks.exe 5024 schtasks.exe 1524 schtasks.exe 2140 schtasks.exe 3444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe 2368 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 3936 2368 Client.exe 84 PID 2368 wrote to memory of 3936 2368 Client.exe 84 PID 3936 wrote to memory of 912 3936 CMD.exe 86 PID 3936 wrote to memory of 912 3936 CMD.exe 86 PID 2368 wrote to memory of 2028 2368 Client.exe 87 PID 2368 wrote to memory of 2028 2368 Client.exe 87 PID 2028 wrote to memory of 2992 2028 CMD.exe 89 PID 2028 wrote to memory of 2992 2028 CMD.exe 89 PID 2368 wrote to memory of 2760 2368 Client.exe 90 PID 2368 wrote to memory of 2760 2368 Client.exe 90 PID 2760 wrote to memory of 3464 2760 CMD.exe 92 PID 2760 wrote to memory of 3464 2760 CMD.exe 92 PID 2368 wrote to memory of 4236 2368 Client.exe 93 PID 2368 wrote to memory of 4236 2368 Client.exe 93 PID 4236 wrote to memory of 4048 4236 CMD.exe 95 PID 4236 wrote to memory of 4048 4236 CMD.exe 95 PID 2368 wrote to memory of 4480 2368 Client.exe 96 PID 2368 wrote to memory of 4480 2368 Client.exe 96 PID 4480 wrote to memory of 4800 4480 CMD.exe 98 PID 4480 wrote to memory of 4800 4480 CMD.exe 98 PID 2368 wrote to memory of 1092 2368 Client.exe 99 PID 2368 wrote to memory of 1092 2368 Client.exe 99 PID 1092 wrote to memory of 5024 1092 CMD.exe 101 PID 1092 wrote to memory of 5024 1092 CMD.exe 101 PID 2368 wrote to memory of 2212 2368 Client.exe 103 PID 2368 wrote to memory of 2212 2368 Client.exe 103 PID 2212 wrote to memory of 1524 2212 CMD.exe 105 PID 2212 wrote to memory of 1524 2212 CMD.exe 105 PID 2368 wrote to memory of 4796 2368 Client.exe 106 PID 2368 wrote to memory of 4796 2368 Client.exe 106 PID 4796 wrote to memory of 2140 4796 CMD.exe 108 PID 4796 wrote to memory of 2140 4796 CMD.exe 108 PID 2368 wrote to memory of 224 2368 Client.exe 109 PID 2368 wrote to memory of 224 2368 Client.exe 109 PID 224 wrote to memory of 1488 224 CMD.exe 111 PID 224 wrote to memory of 1488 224 CMD.exe 111 PID 2368 wrote to memory of 2324 2368 Client.exe 112 PID 2368 wrote to memory of 2324 2368 Client.exe 112 PID 2324 wrote to memory of 1108 2324 CMD.exe 114 PID 2324 wrote to memory of 1108 2324 CMD.exe 114 PID 2368 wrote to memory of 400 2368 Client.exe 115 PID 2368 wrote to memory of 400 2368 Client.exe 115 PID 400 wrote to memory of 4220 400 CMD.exe 117 PID 400 wrote to memory of 4220 400 CMD.exe 117 PID 2368 wrote to memory of 4736 2368 Client.exe 118 PID 2368 wrote to memory of 4736 2368 Client.exe 118 PID 4736 wrote to memory of 1112 4736 CMD.exe 120 PID 4736 wrote to memory of 1112 4736 CMD.exe 120 PID 2368 wrote to memory of 916 2368 Client.exe 121 PID 2368 wrote to memory of 916 2368 Client.exe 121 PID 916 wrote to memory of 4552 916 CMD.exe 123 PID 916 wrote to memory of 4552 916 CMD.exe 123 PID 2368 wrote to memory of 1348 2368 Client.exe 124 PID 2368 wrote to memory of 1348 2368 Client.exe 124 PID 1348 wrote to memory of 3468 1348 CMD.exe 126 PID 1348 wrote to memory of 3468 1348 CMD.exe 126 PID 2368 wrote to memory of 4032 2368 Client.exe 127 PID 2368 wrote to memory of 4032 2368 Client.exe 127 PID 4032 wrote to memory of 4536 4032 CMD.exe 129 PID 4032 wrote to memory of 4536 4032 CMD.exe 129 PID 2368 wrote to memory of 4464 2368 Client.exe 130 PID 2368 wrote to memory of 4464 2368 Client.exe 130 PID 4464 wrote to memory of 4744 4464 CMD.exe 132 PID 4464 wrote to memory of 4744 4464 CMD.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio" /tr "C:\Program Files\$77fuh.exe"3⤵
- Creates scheduled task(s)
PID:912
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2992
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3464
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4048
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4800
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5024
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1524
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2140
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1108
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4220
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4552
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3468
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4536
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4744
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3652
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1576
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1412
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1956
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4424
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4808
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3808
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4824
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1308
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1940
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4748
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1288
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2992
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:468
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1360
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4364
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3564
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3568
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3444
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5092
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:1440
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1168
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4852
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4384
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3580
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2880
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:3164
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3964
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4984
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1940
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4976
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4580
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4668
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4088
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4900
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4552
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3700
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:636
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:640
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:2592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1076
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST & exit2⤵PID:4400
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "$77dfesf" /tr "C:\Program Files\$77fuh.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4060
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3992
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD5a5b3f4e49fb95e2c97fda3e559bcdfb7
SHA1144e2bbc1a63a616af95b80a86d00de020f56802
SHA25670b9e863db74948ad712ccfc04ea1a4c9b9b221a56c4b71f5ee4f5b891be3782
SHA5126bc9c5e5e26bfa563654342a1366f14f7a5ffb2e399cbb7cca3e6f75baebd09e5119cd931b1da1dcc6a5edfa82af432183e5c32b39f7a406972fcbfdb0d84bd4