umbral | 8a5df02a019f735361db01e5236473ef17cbbcb4843d2fd9f1d35fb6056a2333

Analysis

max time kernel
39s
max time network
53s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
12/04/2025, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tempfixed.exe
Size

945KB
MD5

643ea9f09b2a1569d837e3ed4df1cde3
SHA1

49cfb0d2624c1e21505f29ccb3dd84fe760f36bf
SHA256

8a5df02a019f735361db01e5236473ef17cbbcb4843d2fd9f1d35fb6056a2333
SHA512

8a46f9d86486acbed1ab277bcb730693c215e2932f84a512d327bda77cd539bcd48d119278817439c4d4762d0ca83de94c05dd242cb59d478fbc9eb4f0a0241c
SSDEEP

24576:f+rGtLxxYkWKYqJYmbb0bxpi2OsDVp2f0/NLTq+avT4BcCi:WGtDYkWezvYxZpp2f0/NLTq+avT4BcCi

Score

10^/10

umbral execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/5784-24-0x0000015DCCA10000-0x0000015DCCA4C000-memory.dmp	family_umbral
behavioral1/memory/5784-24-0x0000015DCCA10000-0x0000015DCCA4C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4724	powershell.exe
4792	powershell.exe
4992	powershell.exe
4296	powershell.exe
5532	powershell.exe
5012	powershell.exe
232	powershell.exe
3044	powershell.exe
6080	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
12	2704	tempfixed.exe
12	2704	tempfixed.exe
12	2704	tempfixed.exe

Executes dropped EXE 4 IoCs

pid	Process
1652	wvsaqx.exe
5784	KERNELMODE.exe
1652	wvsaqx.exe
5784	KERNELMODE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Tasks\knfcyy.sys	tempfixed.exe
File created	C:\Windows\System32\Tasks\KERNELMODE.exe	tempfixed.exe
File created	C:\Windows\System32\Tasks\gzz9kr.bat	tempfixed.exe
File created	C:\Windows\System32\Tasks\wvsaqx.exe	tempfixed.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
224	wmic.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2804	taskkill.exe
5556	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	wmic.exe
3764	wmic.exe
3764	wmic.exe
3764	wmic.exe
5784	KERNELMODE.exe
4724	powershell.exe
4724	powershell.exe
5532	powershell.exe
5532	powershell.exe
5012	powershell.exe
5012	powershell.exe
2980	powershell.exe
2980	powershell.exe
3544	wmic.exe
3544	wmic.exe
3544	wmic.exe
3544	wmic.exe
3128	wmic.exe
3128	wmic.exe
3128	wmic.exe
3128	wmic.exe
2200	wmic.exe
2200	wmic.exe
2200	wmic.exe
2200	wmic.exe
232	powershell.exe
232	powershell.exe
224	wmic.exe
224	wmic.exe
224	wmic.exe
224	wmic.exe
384	WMIC.exe
384	WMIC.exe
384	WMIC.exe
384	WMIC.exe
3044	powershell.exe
3044	powershell.exe
4792	powershell.exe
4792	powershell.exe
4992	powershell.exe
4992	powershell.exe
6080	powershell.exe
6080	powershell.exe
4296	powershell.exe
4296	powershell.exe
4472	WMIC.exe
4472	WMIC.exe
4472	WMIC.exe
4472	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
3764	wmic.exe
3764	wmic.exe
3764	wmic.exe
3764	wmic.exe
5784	KERNELMODE.exe
4724	powershell.exe
4724	powershell.exe
5532	powershell.exe
5532	powershell.exe
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5784	KERNELMODE.exe
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe
Token: 35	4724	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 5160	2704	tempfixed.exe	82
PID 2704 wrote to memory of 5160	2704	tempfixed.exe	82
PID 5160 wrote to memory of 1856	5160	cmd.exe	83
PID 5160 wrote to memory of 1856	5160	cmd.exe	83
PID 5160 wrote to memory of 1692	5160	cmd.exe	84
PID 5160 wrote to memory of 1692	5160	cmd.exe	84
PID 5160 wrote to memory of 3408	5160	cmd.exe	85
PID 5160 wrote to memory of 3408	5160	cmd.exe	85
PID 2704 wrote to memory of 5332	2704	tempfixed.exe	86
PID 2704 wrote to memory of 5332	2704	tempfixed.exe	86
PID 2704 wrote to memory of 1800	2704	tempfixed.exe	87
PID 2704 wrote to memory of 1800	2704	tempfixed.exe	87
PID 2704 wrote to memory of 4064	2704	tempfixed.exe	88
PID 2704 wrote to memory of 4064	2704	tempfixed.exe	88
PID 2704 wrote to memory of 3772	2704	tempfixed.exe	89
PID 2704 wrote to memory of 3772	2704	tempfixed.exe	89
PID 3772 wrote to memory of 1652	3772	cmd.exe	90
PID 3772 wrote to memory of 1652	3772	cmd.exe	90
PID 2704 wrote to memory of 3040	2704	tempfixed.exe	91
PID 2704 wrote to memory of 3040	2704	tempfixed.exe	91
PID 3040 wrote to memory of 5784	3040	cmd.exe	92
PID 3040 wrote to memory of 5784	3040	cmd.exe	92
PID 5784 wrote to memory of 3764	5784	KERNELMODE.exe	93
PID 5784 wrote to memory of 3764	5784	KERNELMODE.exe	93
PID 5784 wrote to memory of 4724	5784	KERNELMODE.exe	96
PID 5784 wrote to memory of 4724	5784	KERNELMODE.exe	96
PID 5784 wrote to memory of 5532	5784	KERNELMODE.exe	99
PID 5784 wrote to memory of 5532	5784	KERNELMODE.exe	99
PID 5784 wrote to memory of 5012	5784	KERNELMODE.exe	101
PID 5784 wrote to memory of 5012	5784	KERNELMODE.exe	101
PID 5784 wrote to memory of 2980	5784	KERNELMODE.exe	103
PID 5784 wrote to memory of 2980	5784	KERNELMODE.exe	103
PID 5784 wrote to memory of 3544	5784	KERNELMODE.exe	105
PID 5784 wrote to memory of 3544	5784	KERNELMODE.exe	105
PID 5784 wrote to memory of 3128	5784	KERNELMODE.exe	107
PID 5784 wrote to memory of 3128	5784	KERNELMODE.exe	107
PID 5784 wrote to memory of 2200	5784	KERNELMODE.exe	109
PID 5784 wrote to memory of 2200	5784	KERNELMODE.exe	109
PID 5784 wrote to memory of 232	5784	KERNELMODE.exe	111
PID 5784 wrote to memory of 232	5784	KERNELMODE.exe	111
PID 5784 wrote to memory of 224	5784	KERNELMODE.exe	113
PID 5784 wrote to memory of 224	5784	KERNELMODE.exe	113
PID 2704 wrote to memory of 5360	2704	tempfixed.exe	115
PID 2704 wrote to memory of 5360	2704	tempfixed.exe	115
PID 5360 wrote to memory of 5564	5360	cmd.exe	116
PID 5360 wrote to memory of 5564	5360	cmd.exe	116
PID 5564 wrote to memory of 384	5564	cmd.exe	117
PID 5564 wrote to memory of 384	5564	cmd.exe	117
PID 5564 wrote to memory of 2692	5564	cmd.exe	118
PID 5564 wrote to memory of 2692	5564	cmd.exe	118
PID 5360 wrote to memory of 2804	5360	cmd.exe	119
PID 5360 wrote to memory of 2804	5360	cmd.exe	119
PID 5360 wrote to memory of 5556	5360	cmd.exe	121
PID 5360 wrote to memory of 5556	5360	cmd.exe	121
PID 5360 wrote to memory of 3044	5360	cmd.exe	123
PID 5360 wrote to memory of 3044	5360	cmd.exe	123
PID 5360 wrote to memory of 4792	5360	cmd.exe	126
PID 5360 wrote to memory of 4792	5360	cmd.exe	126
PID 5360 wrote to memory of 4992	5360	cmd.exe	127
PID 5360 wrote to memory of 4992	5360	cmd.exe	127
PID 5360 wrote to memory of 6080	5360	cmd.exe	128
PID 5360 wrote to memory of 6080	5360	cmd.exe	128
PID 5360 wrote to memory of 4296	5360	cmd.exe	129
PID 5360 wrote to memory of 4296	5360	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\tempfixed.exe
"C:\Users\Admin\AppData\Local\Temp\tempfixed.exe"
1⤵
- Downloads MZ/PE file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tempfixed.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5160
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tempfixed.exe" MD5
    3⤵
    PID:1856
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1692
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\wvsaqx.exe C:\Windows\System32\Tasks\knfcyy.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\Tasks\wvsaqx.exe
    C:\Windows\System32\Tasks\wvsaqx.exe C:\Windows\System32\Tasks\knfcyy.sys
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\KERNELMODE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\Tasks\KERNELMODE.exe
    C:\Windows\System32\Tasks\KERNELMODE.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5784
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\Tasks\KERNELMODE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2980
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3544
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3128
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:232
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\gzz9kr.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:384
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:2692
- - C:\Windows\system32\taskkill.exe
    taskkill /im wmiprv* /f /t
    3⤵
    - Kills process with taskkill
    PID:2804
- - C:\Windows\system32\taskkill.exe
    taskkill /im wmiprv* /f /t
    3⤵
    - Kills process with taskkill
    PID:5556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Reset-PhysicalDisk C:
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Reset-PhysicalDisk D:
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Reset-PhysicalDisk E:
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Reset-PhysicalDisk F:
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Reset-PhysicalDisk E:
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01"
    3⤵
    PID:5340
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001"
    3⤵
    PID:5824
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001"
    3⤵
    PID:4572
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001" /v NetworkAddress /t REG_SZ /d 02-CCA9CA22A2C /f
    3⤵
    PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4472
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:1856
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01"
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001"
    3⤵
    PID:3556
- - C:\Windows\system32\reg.exe
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001"
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001" /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:2148
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2092
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b79eba6da7413efa3073c1847c013c43

SHA1
8064312a89143475e20a7ef921b586bcfcce052b

SHA256
22afc01e3ae9c96fc2e2b1aa37c821dd94dcf5db576f327eae9c09cb815a97bd

SHA512
f5d1a509e3e21a537a25f948afe34c1ac7a554fa325ee9cbc53df0ba3122f1ec4b32841efeaeba2500595525e22b79c9cfadacf1e11335e7a4444ad3138ca057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ecfd9fe4edeb910791146e126b84a9b

SHA1
f607a9d17f3415d8722c5bc9025ae1a7530248c8

SHA256
c534461d3e1d4dc8de6e6f718e7c6e2f1ba4bd7ba5ab060ebd50cd47dd21f65d

SHA512
f63b12fd797b9c5def202b6020a191d02146ad60354e1c59940f1129ff0756a312f615ae0143db91302dee62dbf0ed7cb3e0f023f0f53c3aec30a88dda74832b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eeed7197340bd6740c11b592948286f6

SHA1
67d12f1c5adec754daa281bdcde7a3312e2bf461

SHA256
45303bbfd97bddb68f3422b945701517e5ae1936e4425ab33f721c23606eeeb1

SHA512
00db68568ed2e8ebf50cfef75326fbb909582f92e262013f5211955fb27395c2fecaae1684e40a523d57f6102df4338ff05b04d83f20b93471d56850a110eec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd7a6eb84c1469df67aad00820f91749

SHA1
c4ceec1b9edef4fd701620e312499833d99df0d9

SHA256
e9ad471f5eb4bc6ff41e1ebfd3d1d54e7ef3e125ad4c14b2e44131ad1449e386

SHA512
99c9ae576066eb02b6e0d71ee8b9826246846d797c1adb7a9bdfce49ddfa1f64c81e5c8e80cfef72aeaf89574422493da7f9f3bba83ce00464bf0cd07dc470e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b424fb1f75336e45a1dd3008f5a2d37

SHA1
283a221073cf5f06bc36e51dc754c3ce738fdcba

SHA256
e42fd06c0052857f452e96b3b45dfedef9587a97f34404a23226247b6bca446a

SHA512
0e38e3d9a5c2a6d42f7949610834b108668016645e05b4c499295cdd925bc1da075b643dfc4b57ae93ad13acb5bb8d499170459c23b0850905d99be4ef663f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdf8953550168e236919c330eceb4ea9

SHA1
778b2a1ba60b84ceccce5da4a923dba60ef93301

SHA256
3cb128ffc431ac693d396b1f4a2ea6ecc5b904889d55547d549f93df57ab746f

SHA512
17a96c6db394807a27d9df3dc31cfc2fba40408e336c3066545d8c252ba2c9affdc4d4a84e8eb5f3cb446e25a9b408b688017cbd5a68c52e2494abb40285f3e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
40c8e3fb10eff9928b7cdfe5c05bd378

SHA1
95974a97ae929b5bba74a2bde276bf00917514f2

SHA256
acfdc38596f31a3134d6b85dbab796089deb9ce67c42924240ef508cd4e5bdb4

SHA512
e1f2010ac3e0e91293cf6a1d59431d022666a797c43b1c50b938090aaa82a07e6b91783f3a08891ce04cf950261b9356d636f821c41daf447b152b3090e1f76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15052d879d5364d8cd15d94786918378

SHA1
8b2d153a91cad1245bc60122bf1da9d5c9e38671

SHA256
a4268f90c058f7dec9ccea12d11934508835f312e8e7c0e0a302b45359c25ac3

SHA512
a2bccfddd0c057bba7bbf5a4b47834420625490cb70ef330cd533616725962070cf18b1b23431e3d040a2ec90eee9e42e88717af0b99839919e5d37b30a92eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0mnkbxla.zec.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Tasks\KERNELMODE.exe

Filesize
215KB

MD5
9e9f8ba58e97102f501396661380306a

SHA1
ef9761d1417b2957cc46211992abbf65fa4621b5

SHA256
af9bbbaf25e0f9406cd3bf915a5f123c87fb3b886899cf64e51a21a31434938f

SHA512
9a52ed181f55b14fb826d52005e66878a050c8d3ee902260c5a85c85b4a9354e3523760eee3eb675472bad32eae9343dca8e9a0e149298c73ba134f83c4627e7

Download Submit
C:\Windows\System32\Tasks\gzz9kr.bat

Filesize
2KB

MD5
51c35d5ab22ca701e270c45087bc378a

SHA1
6f58f0959f22d866d95683083cae7187a37e9338

SHA256
234986b8ff4d22499c1bf577c139508db13ef776ea2afdaa264c958e39f6418c

SHA512
9d3ced6b52f9468c7c38701a0d3cbbaee1e1cd8281e1bf548b9dcf642de443d61777dc3e3c005c4f0a8c2bf1906739d541ef262774b4ade4d822d5ebe3c1bbc1

Download Submit
C:\Windows\System32\Tasks\wvsaqx.exe

Filesize
530KB

MD5
54ed683eba9340abf6783bd8d7b39445

SHA1
950e3c11c71354097c8440529b31f8ac2b3c32a8

SHA256
2d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70

SHA512
9ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2

Download Submit
memory/1652-18-0x00007FF7CACF0000-0x00007FF7CADA1000-memory.dmp

Filesize
708KB

Download
memory/1652-20-0x00007FF7CACF0000-0x00007FF7CADA1000-memory.dmp

Filesize
708KB

Download
memory/1652-20-0x00007FF7CACF0000-0x00007FF7CADA1000-memory.dmp

Filesize
708KB

Download
memory/1652-18-0x00007FF7CACF0000-0x00007FF7CADA1000-memory.dmp

Filesize
708KB

Download
memory/3044-110-0x000001DAB3D10000-0x000001DAB3D34000-memory.dmp

Filesize
144KB

Download
memory/3044-109-0x000001DAB3D10000-0x000001DAB3D3A000-memory.dmp

Filesize
168KB

Download
memory/3044-110-0x000001DAB3D10000-0x000001DAB3D34000-memory.dmp

Filesize
144KB

Download
memory/3044-109-0x000001DAB3D10000-0x000001DAB3D3A000-memory.dmp

Filesize
168KB

Download
memory/4724-25-0x0000026FCEBE0000-0x0000026FCEC02000-memory.dmp

Filesize
136KB

Download
memory/4724-25-0x0000026FCEBE0000-0x0000026FCEC02000-memory.dmp

Filesize
136KB

Download
memory/5784-49-0x0000015DE71A0000-0x0000015DE7216000-memory.dmp

Filesize
472KB

Download
memory/5784-76-0x0000015DCE760000-0x0000015DCE772000-memory.dmp

Filesize
72KB

Download
memory/5784-75-0x0000015DCE6A0000-0x0000015DCE6AA000-memory.dmp

Filesize
40KB

Download
memory/5784-24-0x0000015DCCA10000-0x0000015DCCA4C000-memory.dmp

Filesize
240KB

Download
memory/5784-51-0x0000015DCE6C0000-0x0000015DCE6DE000-memory.dmp

Filesize
120KB

Download
memory/5784-49-0x0000015DE71A0000-0x0000015DE7216000-memory.dmp

Filesize
472KB

Download
memory/5784-50-0x0000015DCE6F0000-0x0000015DCE740000-memory.dmp

Filesize
320KB

Download
memory/5784-51-0x0000015DCE6C0000-0x0000015DCE6DE000-memory.dmp

Filesize
120KB

Download
memory/5784-75-0x0000015DCE6A0000-0x0000015DCE6AA000-memory.dmp

Filesize
40KB

Download
memory/5784-76-0x0000015DCE760000-0x0000015DCE772000-memory.dmp

Filesize
72KB

Download
memory/5784-50-0x0000015DCE6F0000-0x0000015DCE740000-memory.dmp

Filesize
320KB

Download
memory/5784-24-0x0000015DCCA10000-0x0000015DCCA4C000-memory.dmp

Filesize
240KB

Download