Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 12:30

General

  • Target

    inj.vmp.exe

  • Size

    22.7MB

  • MD5

    dee1c4a8e532d17e7df879ec1a6c976b

  • SHA1

    6a037eb25dc446471df9799fabf60e605e609736

  • SHA256

    769b8a2310c87fdd9be0e00525d0f347b7e0d7fd8e5ecf17f1aa119889b1e654

  • SHA512

    326b6ca9ef7487acf89e4d6a3f29984a371dd20e2e5e0fb3269a4a7ecb79984a3d133617d5025aa759441b1fd54f1953a356ccffa847f17774e3b5ec64b308a3

  • SSDEEP

    393216:ML1qcoAyijQ73qEjyqB+oriLjzLYlH5g68q4gsVEmoOZCStRQO2Wv:UqksXyqB3AjPYli6ZRWQO2C

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:64360

19.ip.gl.ply.gg:64360

Mutex

fQ7cS52Kya0qPDrO

Attributes
  • Install_directory

    %Public%

  • install_file

    drivers win gui32-64.exe

  • telegram

    https://api.telegram.org/bot7428011234:AAGLbtvNd_gYGzKdTJ5RNt6COu1jCeNidCs/sendMessage?chat_id=6043308554

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1245665414894063698/9HY7oZoZyztJUOo37jUN0IUaDDWwrbOgYQ06gp0QdpH2eHf05kVC8yRyvqaZKUVdWnAm

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 25 IoCs
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 51 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 10 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\inj.vmp.exe
    "C:\Users\Admin\AppData\Local\Temp\inj.vmp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\111.exe
      "C:\Users\Admin\AppData\Local\Temp\111.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\111.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '111.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\drivers win gui32-64.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'drivers win gui32-64.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:348
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\driverdllnetdhcp\F9mnHWtyAUd0Q4P2aZ3fzq.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\driverdllnetdhcp\nZjz3z5F13Ya5AH4Q7c.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\driverdllnetdhcp\Chainblock.exe
            "C:\driverdllnetdhcp\Chainblock.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ycaMgafzeK.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2600
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1800
                • C:\driverdllnetdhcp\Chainblock.exe
                  "C:\driverdllnetdhcp\Chainblock.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2476
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2008
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2816
                      • C:\Users\Default User\Idle.exe
                        "C:\Users\Default User\Idle.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1692
        • C:\Users\Admin\AppData\Local\Temp\creal.exe
          "C:\Users\Admin\AppData\Local\Temp\creal.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Users\Admin\AppData\Local\Temp\creal.exe
            "C:\Users\Admin\AppData\Local\Temp\creal.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2796
        • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
          "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
          2⤵
          • Blocklisted process makes network request
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\creal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2352
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\creal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\driverdllnetdhcp\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 14 /tr "'C:\driverdllnetdhcp\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Windows\ja-JP\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1111" /sc MINUTE /mo 13 /tr "'C:\driverdllnetdhcp\111.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "111" /sc ONLOGON /tr "'C:\driverdllnetdhcp\111.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1111" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\111.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\driverdllnetdhcp\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\driverdllnetdhcp\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 5 /tr "'C:\Windows\system\creal.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\system\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 12 /tr "'C:\Windows\system\creal.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1768
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:912
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\driverdllnetdhcp\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\driverdllnetdhcp\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\driverdllnetdhcp\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:2724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\creal.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:1528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "creal" /sc ONLOGON /tr "'C:\Windows\L2Schemas\creal.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "crealc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\creal.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:1844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
        1⤵
          PID:2824
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1428

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\886983d96e3d3e

            Filesize

            928B

            MD5

            5992a46bfc0f098d308279dd4a6820ce

            SHA1

            9de43ad3ee8284b1880ea794d7fdd02af4381ea7

            SHA256

            c9c055c79dbe3e7ef431f6326e26dc6f663d5a2eae2062d5091758c5fa489f59

            SHA512

            36c42ee530c7a813449c6431b31b5c99ca0151730b7717dba188bd241394908a8e7b18ecb32e54a85ad464cdbd0cb0d3cc8b5a766171f349d43d380f8261bb50

          • C:\Users\Admin\AppData\Local\Temp\111.exe

            Filesize

            137KB

            MD5

            4fc9af76328e9a763c13fe118909f60f

            SHA1

            5891202c4d6c64e679d5ae4ef588da148a75fcfa

            SHA256

            be5b3394726c2808f0e5a136715c9510f8aad48bda39e1427ec4bfd07cbb7929

            SHA512

            81904986bce26164d6e8bc7d26c238eddd6fee9283cd3a8c50e23bbeeb715d4df92c2be06e1d480a2205fdfea4e54f221b3dde476f13702e08dece8908d8665d

          • C:\Users\Admin\AppData\Local\Temp\Umbral.exe

            Filesize

            231KB

            MD5

            ac6128ddf92997f4fb93fc7e96b41688

            SHA1

            c44d5ea1485c767f38e3d25861949ad0622b1eb9

            SHA256

            056deb66464141ad23d618146d95f9c153c519b0883c5485b202065fa918a77c

            SHA512

            3b23043761c2b78de8b421dc251f921853699280f33935fe4125690324d50b493c3c871313197e21dfe72916156e6768c1eba712a1be545ed381cbdf11a23a68

          • C:\Users\Admin\AppData\Local\Temp\_MEI24362\python312.dll

            Filesize

            6.6MB

            MD5

            3c388ce47c0d9117d2a50b3fa5ac981d

            SHA1

            038484ff7460d03d1d36c23f0de4874cbaea2c48

            SHA256

            c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

            SHA512

            e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

          • C:\Users\Admin\AppData\Local\Temp\creal.exe

            Filesize

            16.2MB

            MD5

            8709fcddb975efe3ec1832fc640fb0be

            SHA1

            cb1746fed0bcccab20e85001940bf2a5c07df8e2

            SHA256

            25a115a9373ccd98036c5ede2b36894d53e8d80daf4904d75a1af85d842b8e50

            SHA512

            e3f89cff6f357c4aae9fc56db4ead7be39b2819585ac01a0be37b05b1022d5f163b2f0b626d0dbf51972d2baeac138f0e56fa43d62b73f4ceafc38776d46597c

          • C:\Users\Admin\AppData\Local\Temp\f3YgPfhNWN.bat

            Filesize

            195B

            MD5

            7d3397c32bbeb89ded747a8c085dbab3

            SHA1

            14c2278557f994d9b5ee0251eda31e3fe918b321

            SHA256

            d2c712ce23cc374d013318560da827de13655cec13a3a18e97782d3dad47d291

            SHA512

            3325add8188514f6a6f69ce31cd17c5dfa6f28ee5b6dee575a4fe7490b8f50fdbe970d21ef8d62df986bf9cc41294e678c792ba0b1224b2c8dce8bf6f5c1d2a0

          • C:\Users\Admin\AppData\Local\Temp\ycaMgafzeK.bat

            Filesize

            199B

            MD5

            4dabc321d29ca11be59c7c30cc107421

            SHA1

            34bef8a70b27199ecb7287fe804486fcba492ba4

            SHA256

            e11992ea5d8b42090cf08ad12ce46c312cda41a22773c704bcdb6fdc1c251916

            SHA512

            8e32a99f7c7208b9c5ac6b339632f0c07d85948178d54bbebc377524f2345eea2e0ac51519faa974bd13b8aae7f97c72e550a414947cc84082930ab58553a99a

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O0L57LVF05L63ZU8YMTM.temp

            Filesize

            7KB

            MD5

            0f8193dc149a445c957e022720d8f917

            SHA1

            896c23a14d09b8416a64661eabd18f89a1f705b1

            SHA256

            3e9accbcdbc5d8c2db180d022018b58f5d00597068f3a2c18449530a5e0f076f

            SHA512

            30f4f1f1154470ab22115cde6006981f2fcb7cb767f440d7608838b7a9b8ada617b66e34c5eb441824876521cb92c2d5a10f5d4af1cbd8be9870ee3320abc923

          • C:\driverdllnetdhcp\Chainblock.exe

            Filesize

            1.0MB

            MD5

            56618cfc4ca3d949bee86a3c17da1588

            SHA1

            3fdc6e4f75f5376d67ec070e4c3e1821726f9af4

            SHA256

            e93b54c6d98c32501c0b09166c8d4bb24d22369055786462b7bbc6b96c3d0fc7

            SHA512

            9f468fbcd5c21beaba8a041fcd34463b0d7a21d2f904f4eab4f444ea9b5d8441c6752b90e747b9be6c65b94073b868c5f2e4062cdb45656e8aa4fbab016b13c6

          • C:\driverdllnetdhcp\F9mnHWtyAUd0Q4P2aZ3fzq.vbe

            Filesize

            213B

            MD5

            dbc5df53473b6a35f1b729b6cf2000b8

            SHA1

            6ae3f088d012cfde80cbe805c6657bfa2b4c1b0e

            SHA256

            87861eb569a57fe9e25b2a0ab0f79bbf9859b4710eef852dd51327a804421061

            SHA512

            675125b9371b02ce259d7ffa1218e8c0e23184fa90cdabbde31777d4f56c47ee2509b5efd35edaf2495b74266332faafccffa6aba878446887e4d9d4e659e746

          • C:\driverdllnetdhcp\nZjz3z5F13Ya5AH4Q7c.bat

            Filesize

            36B

            MD5

            5e1a8c832b11608f3f601dd893d062a0

            SHA1

            09a7360894c7c51fa5c8e5e8e554a62178990944

            SHA256

            05af611254e04da3c15a5f203dba1084e7ce9e1191806662a7a85c5e24376cfe

            SHA512

            23c1bcc579c204590084c4964eb576ce681b0b1458777ceac3039933f2e7c01e8f7d9fe104113288c8974b19e14aee6b81d08cf5d96adf4070e97b9a15b4f274

          • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

            Filesize

            1.3MB

            MD5

            cff73d5e7ef746ce500f30043fdf94ab

            SHA1

            1ec1699154e1825d5108839099391f1c55bfc4bc

            SHA256

            fad0dee1597da34d116c31112b720c17b63c636a9c836f30db36dfb212c8229b

            SHA512

            0396f3dbee3dc36ff84175f8cd29624c9a0aecf3c55b9769b393765f4e8da6527c02efcf05e818ccf74e07bf080480585df0e287f31c47e3ece5bde4a4cb1326

          • memory/1032-23-0x0000000000260000-0x0000000000261000-memory.dmp

            Filesize

            4KB

          • memory/1032-38-0x0000000000290000-0x0000000000291000-memory.dmp

            Filesize

            4KB

          • memory/1032-42-0x0000000000400000-0x0000000002FD2000-memory.dmp

            Filesize

            43.8MB

          • memory/1032-18-0x0000000000250000-0x0000000000251000-memory.dmp

            Filesize

            4KB

          • memory/1032-15-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/1032-13-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/1032-10-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1032-8-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1032-6-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1032-5-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

          • memory/1032-0-0x0000000000408000-0x0000000001919000-memory.dmp

            Filesize

            21.1MB

          • memory/1032-25-0x0000000000260000-0x0000000000261000-memory.dmp

            Filesize

            4KB

          • memory/1032-53-0x0000000000400000-0x0000000002FD2000-memory.dmp

            Filesize

            43.8MB

          • memory/1032-28-0x0000000000270000-0x0000000000271000-memory.dmp

            Filesize

            4KB

          • memory/1032-30-0x0000000000270000-0x0000000000271000-memory.dmp

            Filesize

            4KB

          • memory/1032-67-0x0000000000408000-0x0000000001919000-memory.dmp

            Filesize

            21.1MB

          • memory/1032-66-0x0000000000400000-0x0000000002FD2000-memory.dmp

            Filesize

            43.8MB

          • memory/1032-1-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

          • memory/1032-159-0x0000000000400000-0x0000000002FD2000-memory.dmp

            Filesize

            43.8MB

          • memory/1032-3-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

          • memory/1032-31-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

          • memory/1032-33-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

          • memory/1032-40-0x0000000000290000-0x0000000000291000-memory.dmp

            Filesize

            4KB

          • memory/1032-20-0x0000000000250000-0x0000000000251000-memory.dmp

            Filesize

            4KB

          • memory/1032-35-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

          • memory/1032-36-0x0000000000290000-0x0000000000291000-memory.dmp

            Filesize

            4KB

          • memory/1520-185-0x000000001B590000-0x000000001B872000-memory.dmp

            Filesize

            2.9MB

          • memory/1520-186-0x0000000002170000-0x0000000002178000-memory.dmp

            Filesize

            32KB

          • memory/1692-274-0x0000000000AC0000-0x0000000000BCE000-memory.dmp

            Filesize

            1.1MB

          • memory/1968-207-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

            Filesize

            48KB

          • memory/1968-204-0x00000000006E0000-0x00000000006F2000-memory.dmp

            Filesize

            72KB

          • memory/1968-205-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

            Filesize

            48KB

          • memory/1968-203-0x0000000000BE0000-0x0000000000CEE000-memory.dmp

            Filesize

            1.1MB

          • memory/1968-206-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

            Filesize

            32KB

          • memory/2332-178-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

            Filesize

            2.9MB

          • memory/2332-179-0x0000000002860000-0x0000000002868000-memory.dmp

            Filesize

            32KB

          • memory/2476-252-0x00000000003C0000-0x00000000004CE000-memory.dmp

            Filesize

            1.1MB

          • memory/2660-162-0x0000000000BB0000-0x0000000000BD8000-memory.dmp

            Filesize

            160KB

          • memory/2724-151-0x0000000000A50000-0x0000000000A90000-memory.dmp

            Filesize

            256KB