Overview

overview

10

Static

static

3

3969991942...b8.exe

windows7-x64

10

3969991942...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3969991942bb5b6130977411ae258ab8.exe

  • Size

    19.8MB

  • MD5

    3969991942bb5b6130977411ae258ab8

  • SHA1

    c391e670488d73dc79c2acfab1e845d9c3e5227e

  • SHA256

    aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

  • SHA512

    ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a

  • SSDEEP

    393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score
10/10
dcratumbralxwormexecutioninfostealerratstealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

C2

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Roaming\Nursultan.exe
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2632
      • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
        "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1460
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2788
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:920
    • C:\Users\Admin\AppData\Roaming\t.bat
      "C:\Users\Admin\AppData\Roaming\t.bat"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\perfdhcpSvc\Chainprovider.exe
            "C:\perfdhcpSvc\Chainprovider.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:888
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GK2qgzCJOo.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1420
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:956
                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Nursultan.exe
                  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Nursultan.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2384
      • C:\Users\Admin\AppData\Roaming\Umbral.exe
        "C:\Users\Admin\AppData\Roaming\Umbral.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:596
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Nursultan.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Nursultan.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Nursultan.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2904
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2192
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2460
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Nurik\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Nurik\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Nurik\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Nursultan.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Nursultan.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Nursultan.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Nurik\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Nurik\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Nurik\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GK2qgzCJOo.bat
      Filesize

      241B

      MD5

      e77a7624d0baff03b22f7b434771aea3

      SHA1

      4e5249048e2b59c7934e3ff4e1ad57649e15955a

      SHA256

      c23cc391ccbc771a058ffea9d1cdf7ea8758639ea80a9da9cf5892093cfbe9a9

      SHA512

      c8e334c132ac987b386ed18afba05a8792f20b257416c07a844686cd482d9b42125da2b5844b4cff6a3a1490fdc4490ea3883f3295457ce7d3a11a57aab1e847

      Download Submit

    • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
      Filesize

      63KB

      MD5

      a0dbdf3af38ead2237ccb781a098a431

      SHA1

      1434296af6c5530eb036718e860490e0adc3321a

      SHA256

      6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

      SHA512

      dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      60b3ca59b857e9f66c06df73a4590d04

      SHA1

      7221b4bd5ac7277790e4caedb17053bbaa9ee0c8

      SHA256

      a8e9e8725e6143d5d7c121ca9be558a135fc48f13f1ff6360a8f2d56e75ab1a5

      SHA512

      342d4f14263b742a0dd2a4bcef20a6f60c931e8767c050d7953694343df3d9468e21b851629ce38ebed8327171e4446a11ca9bde2abeebe19aa4733687232f28

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
      Filesize

      18.2MB

      MD5

      ed965403e795c3b563d67c734472ad93

      SHA1

      6b8b929239d5ef8f1f546c591c67acaf560de4dc

      SHA256

      6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

      SHA512

      bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Nursultan.exe
      Filesize

      17.9MB

      MD5

      e504e3fc36fe4d6f182c98923979a779

      SHA1

      3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

      SHA256

      70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

      SHA512

      63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Umbral.exe
      Filesize

      229KB

      MD5

      f48ef033300ec9fd3c77afff5c20e95f

      SHA1

      22d6125b980474b3f54937003a765cdd5352f9a8

      SHA256

      72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

      SHA512

      847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\t.bat
      Filesize

      1.1MB

      MD5

      d85bd59cf0808fb894f60773e1594a0a

      SHA1

      84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

      SHA256

      f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

      SHA512

      225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

      Download Submit

    • C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe
      Filesize

      200B

      MD5

      00b53f3e200522631227cac1a07e0646

      SHA1

      a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

      SHA256

      486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

      SHA512

      22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

      Download Submit

    • C:\perfdhcpSvc\mStUjP0ksX5N.bat
      Filesize

      34B

      MD5

      a9330c6da12d90d5d956ae2bbcf017d7

      SHA1

      7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

      SHA256

      b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

      SHA512

      557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

      Download Submit

    • \perfdhcpSvc\Chainprovider.exe
      Filesize

      827KB

      MD5

      d2ec227ddac047e735393e58e742fd44

      SHA1

      7aae5c76378f7cfcff8bb983695fa4c2577a20e2

      SHA256

      0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

      SHA512

      5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

      Download Submit

    • memory/888-56-0x0000000001040000-0x0000000001116000-memory.dmp

      Filesize

      856KB

      Download

    • memory/1460-98-0x00000000029E0000-0x00000000029E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1460-97-0x000000001B720000-0x000000001BA02000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1720-119-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1876-1-0x0000000000E50000-0x0000000002220000-memory.dmp

      Filesize

      19.8MB

      Download

    • memory/1876-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-132-0x0000000000B90000-0x0000000000C66000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2464-37-0x0000000000BF0000-0x0000000000C06000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2540-18-0x0000000001220000-0x0000000001260000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2556-40-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2556-38-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2556-12-0x0000000001280000-0x00000000024BA000-memory.dmp

      Filesize

      18.2MB

      Download

    • memory/2632-42-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2632-47-0x0000000140000000-0x0000000142153000-memory.dmp

      Filesize

      33.3MB

      Download

    • memory/2632-44-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2632-46-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2788-111-0x000000001B780000-0x000000001BA62000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2788-112-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

      Download