Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 02:35

General

  • Target

    595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe

  • Size

    1.1MB

  • MD5

    490aa1e56fab47858d780a9fdbafb5bf

  • SHA1

    337d8c93caf41a62f0720ae1f0c02d262ac0a274

  • SHA256

    595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595

  • SHA512

    7ff8f6983c789f78f67063745fef92040bb5cb88463e82f6a9f05ba0b48021bd2c541cec6e06726748547f0800abd14dd52fe798feddcb1427a46b87619a4f00

  • SSDEEP

    24576:2TbBv5rUyXV0VTney9cyQJMA+b3iE0nHA6E:IBJgTney9clmA+b3KHe

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 17 IoCs
  • Runs ping.exe 1 TTPs 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe
    "C:\Users\Admin\AppData\Local\Temp\595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
          "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fakg2ago\fakg2ago.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC5.tmp" "c:\Windows\System32\CSCF72B44DD612C48DC85141C1D8CCE4615.TMP"
              6⤵
                PID:4080
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4lwCkAQ41.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1856
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2548
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:3648
                  • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                    "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3160
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HnJb1ZSpW8.bat"
                      7⤵
                      • Suspicious use of WriteProcessMemory
                      PID:636
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:2384
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          8⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:3052
                        • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                          "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                          8⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1944
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1dc23k5BXS.bat"
                            9⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3380
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              10⤵
                                PID:640
                              • C:\Windows\system32\PING.EXE
                                ping -n 10 localhost
                                10⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:2060
                              • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                10⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:840
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bnA1lkrrKq.bat"
                                  11⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2132
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:336
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:1104
                                    • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                      "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                      12⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:3516
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat"
                                        13⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:1184
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          14⤵
                                            PID:4576
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 10 localhost
                                            14⤵
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:1752
                                          • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                            "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                            14⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2500
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat"
                                              15⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:5088
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1856
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:1136
                                                  • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                    "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                    16⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1460
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkZfuSJvBK.bat"
                                                      17⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4820
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4304
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:3176
                                                          • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                            "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                            18⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4708
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5pDZHTGxN.bat"
                                                              19⤵
                                                                PID:3216
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  20⤵
                                                                    PID:924
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2136
                                                                    • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                      "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                      20⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4368
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat"
                                                                        21⤵
                                                                          PID:1892
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:3376
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:4976
                                                                            • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                              "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                              22⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4544
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p3fxByWxmm.bat"
                                                                                23⤵
                                                                                  PID:1160
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:2612
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:5068
                                                                                    • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                      "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                      24⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3700
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat"
                                                                                        25⤵
                                                                                          PID:4864
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:2960
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:2456
                                                                                              • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                                "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                                26⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1060
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ub5pO60uUj.bat"
                                                                                                  27⤵
                                                                                                    PID:5072
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 65001
                                                                                                      28⤵
                                                                                                        PID:2940
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        28⤵
                                                                                                          PID:4964
                                                                                                        • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                                          "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                                          28⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:4216
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat"
                                                                                                            29⤵
                                                                                                              PID:2364
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                30⤵
                                                                                                                  PID:4312
                                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                  30⤵
                                                                                                                    PID:3052
                                                                                                                  • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                                                    "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                                                    30⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:4740
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
                                                                                                                      31⤵
                                                                                                                        PID:4708
                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                          chcp 65001
                                                                                                                          32⤵
                                                                                                                            PID:4464
                                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                                            ping -n 10 localhost
                                                                                                                            32⤵
                                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                            • Runs ping.exe
                                                                                                                            PID:524
                                                                                                                          • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                                                            "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                                                            32⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies registry class
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1256
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"
                                                                                                                              33⤵
                                                                                                                                PID:3672
                                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                                  chcp 65001
                                                                                                                                  34⤵
                                                                                                                                    PID:3092
                                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                                    ping -n 10 localhost
                                                                                                                                    34⤵
                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                    • Runs ping.exe
                                                                                                                                    PID:2660
                                                                                                                                  • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                                                                                                    "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                                                                                                    34⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Modifies registry class
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:1452
                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
                                                                                                                                      35⤵
                                                                                                                                        PID:2132
                                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                                          chcp 65001
                                                                                                                                          36⤵
                                                                                                                                            PID:5044
                                                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                            36⤵
                                                                                                                                              PID:4388
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\SppExtComObj.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:3092
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2344
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:880
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\dwm.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4228
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4060
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:376
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:860
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2592
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4612
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:3692
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2164
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:5040
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4388
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1388
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4432
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 7 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1064
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "ChainPortsurrogate" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:3944
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 13 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                                                        1⤵
                                                                        • Process spawned unexpected child process
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:3144

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe

                                                                        Filesize

                                                                        250B

                                                                        MD5

                                                                        d8776d21a414703fcf32711bb7ecdfb4

                                                                        SHA1

                                                                        1c6820ca5097513a2be072a3b43eff1fc8403184

                                                                        SHA256

                                                                        bb5a09775dcaeb1c3c4d3cdd4c207c96f1a153aa23fed7512367eca6a3a0c22d

                                                                        SHA512

                                                                        ad33ca536cc149301ba111280388a9a6295ddd7c2be76fa3eefba8cab1f2727a4effc57b24adbf0be8f10c2d13872c215f9512dd470990541b39e2d2681595a9

                                                                      • C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe

                                                                        Filesize

                                                                        825KB

                                                                        MD5

                                                                        ce09db6adeeca051ff01abd8cf2e400d

                                                                        SHA1

                                                                        14e60e202c180152757a89d13d9989ec35e1f5a2

                                                                        SHA256

                                                                        ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16

                                                                        SHA512

                                                                        e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3

                                                                      • C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat

                                                                        Filesize

                                                                        110B

                                                                        MD5

                                                                        9c91fe8e1765ddf30eda4052cbecbf48

                                                                        SHA1

                                                                        8acec401bdec034d55ead6804c69505c1d680e67

                                                                        SHA256

                                                                        9420d7930ae9f2040d5b46bc120da24e920fccf6882e69b74269f71e75cc0718

                                                                        SHA512

                                                                        e72ec080ae8fc66a5f712e3a525f0013d406b587523b3b6ff8dc80f12f12af183fc77b578293808f07e916a8b6f2252206b3c899200d0f70540cb70de467ea87

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainPortsurrogate.exe.log

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        23e95ec462ffa2c6ca8cab1cb8724ab1

                                                                        SHA1

                                                                        ee3f5e815831cf925c4f00195cc8f336b6112862

                                                                        SHA256

                                                                        c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c

                                                                        SHA512

                                                                        b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd

                                                                      • C:\Users\Admin\AppData\Local\Temp\1dc23k5BXS.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        1f763f9cedb8c47b98540071e717fbaf

                                                                        SHA1

                                                                        2130256ba484982034813ff69b1cd564ddb81113

                                                                        SHA256

                                                                        08c8745ab7298aed804083c78298fd27b62df11b10e87fe20f25703e8303e0fd

                                                                        SHA512

                                                                        60efc3214a8e2c2567098c622b2e5ae9cda9490527c9778b7d0a2ae38810fbc0490aee1daa0a57a84146774a43927aa032ef3abef265c0aed688838668929d96

                                                                      • C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        20348dbad8b37d377590f4a866247473

                                                                        SHA1

                                                                        2096ff49854321c2a843e3af1ad1e009c7e485d8

                                                                        SHA256

                                                                        ba4b091c7bb9b21115db3076272a17c2a97ce83ffda271597a6f7ce880f664df

                                                                        SHA512

                                                                        1505817d2a100fa6cfdae472e7b4257a7ef9c0f8a28d23f9263413113912b0cbb85f1890135c58df52caaba942a1d611a24fcd0fc148ef78af54a3900adc0db3

                                                                      • C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        e325e0f4fa01a3b9b651d5e17e23704c

                                                                        SHA1

                                                                        1a250a377ef9511fd9b1d541c543d6f49b43daff

                                                                        SHA256

                                                                        b33ef2276d55e33a9b6eaa2126310a95947d4bab280b8db04d43274ed2c2ca90

                                                                        SHA512

                                                                        975d98ead8860bad2bcee39b9e9b77ad2144e28e327e9d6f3fb6b912d53820bb2f9ab5abe384844d54d3854c9d5d82bd4f3d001de40731220515c69db06f0921

                                                                      • C:\Users\Admin\AppData\Local\Temp\D5pDZHTGxN.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        f71d960c9072ee12e7fa782eb05e09a1

                                                                        SHA1

                                                                        2bf35292383ccf57a97d6e744277d3e758fcfa09

                                                                        SHA256

                                                                        d53db55a3de5946879500b99adac8a345d29be2c76c6b9e5cb481b20a10e72be

                                                                        SHA512

                                                                        73e33362fc8d1a349a898ba8682ba7a36355b67aae3a3dc524d6a678c7c16aad72c3de8a4c465a0568ffa55a1e63793df56c2d1ffcec7f0ceef8620dadea4d5c

                                                                      • C:\Users\Admin\AppData\Local\Temp\HnJb1ZSpW8.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        52d0f16ec836d0d119481402c9367a6d

                                                                        SHA1

                                                                        d145dfbd31e2e2b2b90041900e74475f85818530

                                                                        SHA256

                                                                        6e95a0659f5088bfc4a6514bcb19854b69f9e0f4674277d37365cdbbdc529b06

                                                                        SHA512

                                                                        4f990df009af15e7d9f3c8537fa40081f287cc989fa5fbcc1b124a5082b18e4ca5a199b3c7d5d9dac5b7bd3a5ef3db4580d59e33a388e6d39fb2a49281fb3fa3

                                                                      • C:\Users\Admin\AppData\Local\Temp\NkZfuSJvBK.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        d075b2f35e9a2bddaf9b50a771e5d749

                                                                        SHA1

                                                                        b9c250386ec078a34468c754f23573fa7f525ca6

                                                                        SHA256

                                                                        8d482ba15525032ed93631da6cacd497af653cc80550398966190c0b26fb2ab0

                                                                        SHA512

                                                                        14e635ececca1c5bcf791ca65be80fa60762ca92624fdd08c8c674ac46fd41958ec987e76958fad5c672f0c251e34a2ae2aec269344e7010170c38efdc202ac8

                                                                      • C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        7a377ee8c18b872d6969dd36d24f763d

                                                                        SHA1

                                                                        3b7ba02e3834fb5c7f70e3c8f49bcb4b66c7e51a

                                                                        SHA256

                                                                        421496a947fc88803321e800d193cac43e7e0ef77648235ec38022ab47d8a8bc

                                                                        SHA512

                                                                        d6fef10902761d22ca4f72db180b2dcc22f70a25dc626486cae5e900acc96b93d817712660e5c473813261feb11646e3939bf8c7a2d52db7ac9bded6421d1987

                                                                      • C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        b1af15fd341c5608ac5f9525db43ad41

                                                                        SHA1

                                                                        931bf8e4142baba08e4f29aff49129bf9aa907a3

                                                                        SHA256

                                                                        a65f577e786292a79e932029b6ad449915db5b11be7180cd52d9411b0dd4ac1f

                                                                        SHA512

                                                                        56e2f674292720aee97afcc9ec60a960b2995edc21fed750c93c51ca76e890624ec133b82743facf1ff576f2d5b7302ccfcd2376c9b428b313020283512c6909

                                                                      • C:\Users\Admin\AppData\Local\Temp\RES7EC5.tmp

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        6917da94fb9bfad5a4a4562b84fe753c

                                                                        SHA1

                                                                        b381d70f866386f587bf3d17c7ec79d9c60f2cde

                                                                        SHA256

                                                                        07eddac04471d6e54ad6d2cb3b2123ac24e8a33fc66b84a137df488a9a364ffa

                                                                        SHA512

                                                                        548222f7952eddf4df0b1deb412353399f114a9201e50ffa0273e73b72fb491c12b674f067b31fa6d8cf25caa2b415fec789bd4203bf7db4514297c37ce696da

                                                                      • C:\Users\Admin\AppData\Local\Temp\Ub5pO60uUj.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        082e5c3b5cd35071637c0a8e3009b4b9

                                                                        SHA1

                                                                        db10d940602a96a130cd4e8e2ae348adbcec3d9a

                                                                        SHA256

                                                                        c73471897efb53bff82ae4f39cfb89cb94610e182cf6d80a40e36ab53440cbd0

                                                                        SHA512

                                                                        ae5a0f1013d5dc7288384d70ab8e88ced158e0899490d50e2ea518aebdde686892812b11bae76844a1aadbddc22f42a3a558807d7f03cbdbbaa10a477a446cba

                                                                      • C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        befd18c6a8d4c23f3a8985c041877474

                                                                        SHA1

                                                                        b4ad09bb7e5ec6be3fb925765745ad24d9b2fca9

                                                                        SHA256

                                                                        910682964b34af932a9b28fd5552b184841495816c119a0173faab023a79a3ef

                                                                        SHA512

                                                                        dffe93012a72b6c26e63fba60820f17303473f07a8ec26de79f2515616d214da5b4663fad5393210aa170df3a1ac1008d137af0362ddab99d43155942bc95d39

                                                                      • C:\Users\Admin\AppData\Local\Temp\bnA1lkrrKq.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        f553c3904c643fe41f390f7fcdb4cee1

                                                                        SHA1

                                                                        a0de3d77d3f1e87b316108733421c61f1938df55

                                                                        SHA256

                                                                        8ec71ef4757a13da2012bad558f2f9d66974b7e4162fd9541de0d3eef41a0daf

                                                                        SHA512

                                                                        a7739c28fc23d9ba74b5c010fd8bf904713d905440700f95e166fb7b24879ce7628e709d0edc36098b37734e75ef382586a5a34c7cc70e53ef1aa3a4f68c7057

                                                                      • C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        217a35bf8606267fabb07202a7365021

                                                                        SHA1

                                                                        f913818827974db8ba91281631bc900c7762e0e1

                                                                        SHA256

                                                                        5a9617423cdb0324bff01012d9dcbb11a9c947567154622783a09a7904fdb50d

                                                                        SHA512

                                                                        a78c0e6f40d89eac312a3f775a74a7fac7ae1d5455279cd6e61576883895e2f5752716afa62ce8cc771f11a049f4f45dd6346e73e826d88255ba86781015dbd4

                                                                      • C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        ff5583d22b3848895a859a8bdaab6c0d

                                                                        SHA1

                                                                        21543a1efa11ef237c40f671bcd62ad3ed7a39f4

                                                                        SHA256

                                                                        0ce92ac5eaeeb7525b4913557b432784a9b935912d55173c5bd98d52945fd8ba

                                                                        SHA512

                                                                        2b21bc90790a6d5079ddbae810209792944e5e799b854e8875d1c4601b65c3d2eb0f7877022a9189cc831bc93193b2275ecb466d2ac7112a903e1e5f208a309e

                                                                      • C:\Users\Admin\AppData\Local\Temp\p3fxByWxmm.bat

                                                                        Filesize

                                                                        182B

                                                                        MD5

                                                                        ef69b1dcc37a96faf08ab8225f79244c

                                                                        SHA1

                                                                        400826998f21a7f4ca2b6c3e1a2475210880a675

                                                                        SHA256

                                                                        36237cfdc894280b763180ce5e985a088e4200c472d69774799971a4997e53c3

                                                                        SHA512

                                                                        bdb2803dbddb1e5f604f3fbb479c0521eaf73c7e55427953420b8547fe289a00cb7c14af08637a030d023db0bcac749be7574abd0c32533d06b289ed0517a11f

                                                                      • C:\Users\Admin\AppData\Local\Temp\s4lwCkAQ41.bat

                                                                        Filesize

                                                                        230B

                                                                        MD5

                                                                        9a54c381577a01ed6e06625b1ce3b880

                                                                        SHA1

                                                                        bff229b43821068389f402cbcdfd1100b6995d97

                                                                        SHA256

                                                                        0d3debcba639d27c08f6fe291844837ed2dec48724a2342303e8b46c3273dcef

                                                                        SHA512

                                                                        b21514b0174f458d594d25e17b9060b16dde57ee9b31e1b582728f2c680f68d44c6012f56435d2fe01154baef00e592f361f01548a6d784075dc109fa29cc99b

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\fakg2ago\fakg2ago.0.cs

                                                                        Filesize

                                                                        364B

                                                                        MD5

                                                                        ef114aad95575b397a8918ce3649af8e

                                                                        SHA1

                                                                        57bda0dbed814728fd8de64045d53691879de907

                                                                        SHA256

                                                                        e9eb040c65f0d7c714b0ded83e8cb620124d1ffae6e697a00e8a60376488c21e

                                                                        SHA512

                                                                        72940017c971f3b2dc173ebba6c42d5a1a5657f04e10f7f8d41fb321ead70a503c5b0650fa6f568817e27522dfe21a618b0271ef8e30c995ddf4c402c140fe37

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\fakg2ago\fakg2ago.cmdline

                                                                        Filesize

                                                                        235B

                                                                        MD5

                                                                        1287d8db8eb0b29c208f3c48704135d8

                                                                        SHA1

                                                                        3d5cc46a563ffeeb329fe6ef6e7bddbb0040005f

                                                                        SHA256

                                                                        bde75f4c5fe63e51d588fec43ad2586cf386967f1c69f465030fdefaa670797d

                                                                        SHA512

                                                                        bc5359e594955a992ea7c34f491df98bba5bc590c09315e20ce2f9e669bd4226294fd4a4668d2d4579b475e3aa201d71f9a9987ba33df2f78157b564d8566022

                                                                      • \??\c:\Windows\System32\CSCF72B44DD612C48DC85141C1D8CCE4615.TMP

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        5984679060d0fc54eba47cead995f65a

                                                                        SHA1

                                                                        f72bbbba060ac80ac6abedc7b8679e8963f63ebf

                                                                        SHA256

                                                                        4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

                                                                        SHA512

                                                                        bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

                                                                      • memory/2376-24-0x0000000002AA0000-0x0000000002AAE000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                      • memory/2376-13-0x0000000000830000-0x0000000000904000-memory.dmp

                                                                        Filesize

                                                                        848KB

                                                                      • memory/2376-15-0x0000000001360000-0x000000000136E000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                      • memory/2376-17-0x0000000002AC0000-0x0000000002ADC000-memory.dmp

                                                                        Filesize

                                                                        112KB

                                                                      • memory/2376-18-0x000000001B410000-0x000000001B460000-memory.dmp

                                                                        Filesize

                                                                        320KB

                                                                      • memory/2376-20-0x000000001B3C0000-0x000000001B3D8000-memory.dmp

                                                                        Filesize

                                                                        96KB

                                                                      • memory/2376-22-0x0000000001370000-0x000000000137E000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                      • memory/2376-12-0x00007FFFF7FD3000-0x00007FFFF7FD5000-memory.dmp

                                                                        Filesize

                                                                        8KB