Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
33d79293d37...14.exe
windows7-x64
103d79293d37...14.exe
windows10-2004-x64
103d79293d37...14.exe
android-9-x86
3d79293d37...14.exe
android-10-x64
3d79293d37...14.exe
android-11-x64
3d79293d37...14.exe
macos-10.15-amd64
3d79293d37...14.exe
ubuntu-18.04-amd64
3d79293d37...14.exe
debian-9-armhf
3d79293d37...14.exe
debian-9-mips
3d79293d37...14.exe
debian-9-mipsel
Analysis
-
max time kernel
842s -
max time network
842s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral4
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral6
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
macos-20241101-en
Behavioral task
behavioral7
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral8
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral9
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral10
Sample
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Resource
debian9-mipsel-20240611-en
General
-
Target
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
-
Size
16.0MB
-
MD5
5aa236eabe65a1e444f1eb31fb330eba
-
SHA1
b6a8d5362991511526ea5a2b86ad70f05e70652c
-
SHA256
3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
-
SHA512
0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be
-
SSDEEP
98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\csrss.exe\"" DriverbrokerCrtDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\csrss.exe\", \"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\"" DriverbrokerCrtDhcp.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 988 schtasks.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 988 schtasks.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 988 schtasks.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 988 schtasks.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 988 schtasks.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 988 schtasks.exe 39 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2812 powershell.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 7 IoCs
pid Process 2736 XenoSetup(1).exe 2716 Xeno.exe 2148 DriverbrokerCrtDhcp.exe 1028 DriverbrokerCrtDhcp.exe 3104 csrss.exe 2772 DriverbrokerCrtDhcp.exe 880 csrss.exe -
Loads dropped DLL 3 IoCs
pid Process 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 2216 cmd.exe 2216 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\"" DriverbrokerCrtDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\"" DriverbrokerCrtDhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XenoSetup(1).exe" 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32Local\\csrss.exe\"" DriverbrokerCrtDhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32Local\\csrss.exe\"" DriverbrokerCrtDhcp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCE315BEDE318D4B2E8E7AB2ACF6BA3E33.TMP csc.exe File created \??\c:\Windows\System32\dzuhbf.exe csc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\System32Local\csrss.exe DriverbrokerCrtDhcp.exe File opened for modification C:\Windows\System32Local\csrss.exe DriverbrokerCrtDhcp.exe File created C:\Windows\System32Local\886983d96e3d3e DriverbrokerCrtDhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XenoSetup(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2088 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1784 schtasks.exe 688 schtasks.exe 828 schtasks.exe 1096 schtasks.exe 2396 schtasks.exe 2888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2812 powershell.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe 2148 DriverbrokerCrtDhcp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2148 DriverbrokerCrtDhcp.exe Token: SeDebugPrivilege 1028 DriverbrokerCrtDhcp.exe Token: SeDebugPrivilege 3104 csrss.exe Token: SeDebugPrivilege 2772 DriverbrokerCrtDhcp.exe Token: SeDebugPrivilege 880 csrss.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2812 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 30 PID 2144 wrote to memory of 2812 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 30 PID 2144 wrote to memory of 2812 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 30 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2736 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 32 PID 2144 wrote to memory of 2716 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 33 PID 2144 wrote to memory of 2716 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 33 PID 2144 wrote to memory of 2716 2144 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe 33 PID 2736 wrote to memory of 1856 2736 XenoSetup(1).exe 34 PID 2736 wrote to memory of 1856 2736 XenoSetup(1).exe 34 PID 2736 wrote to memory of 1856 2736 XenoSetup(1).exe 34 PID 2736 wrote to memory of 1856 2736 XenoSetup(1).exe 34 PID 1856 wrote to memory of 2216 1856 WScript.exe 35 PID 1856 wrote to memory of 2216 1856 WScript.exe 35 PID 1856 wrote to memory of 2216 1856 WScript.exe 35 PID 1856 wrote to memory of 2216 1856 WScript.exe 35 PID 2216 wrote to memory of 2088 2216 cmd.exe 37 PID 2216 wrote to memory of 2088 2216 cmd.exe 37 PID 2216 wrote to memory of 2088 2216 cmd.exe 37 PID 2216 wrote to memory of 2088 2216 cmd.exe 37 PID 2216 wrote to memory of 2148 2216 cmd.exe 38 PID 2216 wrote to memory of 2148 2216 cmd.exe 38 PID 2216 wrote to memory of 2148 2216 cmd.exe 38 PID 2216 wrote to memory of 2148 2216 cmd.exe 38 PID 2148 wrote to memory of 884 2148 DriverbrokerCrtDhcp.exe 43 PID 2148 wrote to memory of 884 2148 DriverbrokerCrtDhcp.exe 43 PID 2148 wrote to memory of 884 2148 DriverbrokerCrtDhcp.exe 43 PID 884 wrote to memory of 2756 884 csc.exe 45 PID 884 wrote to memory of 2756 884 csc.exe 45 PID 884 wrote to memory of 2756 884 csc.exe 45 PID 2148 wrote to memory of 2812 2148 DriverbrokerCrtDhcp.exe 46 PID 2148 wrote to memory of 2812 2148 DriverbrokerCrtDhcp.exe 46 PID 2148 wrote to memory of 2812 2148 DriverbrokerCrtDhcp.exe 46 PID 2812 wrote to memory of 2808 2812 csc.exe 48 PID 2812 wrote to memory of 2808 2812 csc.exe 48 PID 2812 wrote to memory of 2808 2812 csc.exe 48 PID 2148 wrote to memory of 1940 2148 DriverbrokerCrtDhcp.exe 52 PID 2148 wrote to memory of 1940 2148 DriverbrokerCrtDhcp.exe 52 PID 2148 wrote to memory of 1940 2148 DriverbrokerCrtDhcp.exe 52 PID 1940 wrote to memory of 2860 1940 cmd.exe 54 PID 1940 wrote to memory of 2860 1940 cmd.exe 54 PID 1940 wrote to memory of 2860 1940 cmd.exe 54 PID 1940 wrote to memory of 1684 1940 cmd.exe 55 PID 1940 wrote to memory of 1684 1940 cmd.exe 55 PID 1940 wrote to memory of 1684 1940 cmd.exe 55 PID 1940 wrote to memory of 1028 1940 cmd.exe 56 PID 1940 wrote to memory of 1028 1940 cmd.exe 56 PID 1940 wrote to memory of 1028 1940 cmd.exe 56 PID 2896 wrote to memory of 3104 2896 taskeng.exe 59 PID 2896 wrote to memory of 3104 2896 taskeng.exe 59 PID 2896 wrote to memory of 3104 2896 taskeng.exe 59 PID 2896 wrote to memory of 2772 2896 taskeng.exe 61 PID 2896 wrote to memory of 2772 2896 taskeng.exe 61 PID 2896 wrote to memory of 2772 2896 taskeng.exe 61 PID 2896 wrote to memory of 880 2896 taskeng.exe 63 PID 2896 wrote to memory of 880 2896 taskeng.exe 63 PID 2896 wrote to memory of 880 2896 taskeng.exe 63 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exeC:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2088
-
-
C:\portBrokerDll\DriverbrokerCrtDhcp.exe"C:\portBrokerDll/DriverbrokerCrtDhcp.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ff1b3bxt\ff1b3bxt.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3778DFE98A5D48DCBA8EAC777B3C3795.TMP"7⤵PID:2756
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p25bb52k\p25bb52k.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AA5.tmp" "c:\Windows\System32\CSCE315BEDE318D4B2E8E7AB2ACF6BA3E33.TMP"7⤵PID:2808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iuDfx3Qvui.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2860
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1684
-
-
C:\portBrokerDll\DriverbrokerCrtDhcp.exe"C:\portBrokerDll\DriverbrokerCrtDhcp.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xeno.exe"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32Local\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32Local\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32Local\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 6 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 9 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\taskeng.exetaskeng.exe {7B6B8C53-19D9-4A36-8F5B-CA22E4D1B5C3} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32Local\csrss.exeC:\Windows\System32Local\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\portBrokerDll\DriverbrokerCrtDhcp.exeC:\portBrokerDll\DriverbrokerCrtDhcp.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32Local\csrss.exeC:\Windows\System32Local\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53dd157fa10d4ff93085bce0e145b1ea1
SHA16793e9983529669e72d3a7ecfc86c2a4e9b5b27b
SHA2567da07956c39533daf5808242b95e48f2f4ea738e1291847e664bc2d680146d29
SHA512a18f6597a39074b519726525cccfc488cc7d4729b9a5fc5efdf93df958ae83f25222a766bec48e3b140bfc124e2675d6329e067bf275b89d896aec10ec80883e
-
Filesize
1KB
MD5158ac6a70c899f62976b706c53a3ed4f
SHA109d04b1befc470c598036f1e6b46280a31948702
SHA25625a035af77faf327d81d782fa213a6dc93358cc9afcd9cf5849fc9f8d13eb191
SHA512219b95e0971b147a69b3465ce8b04e8ecf5cc1bad85d63159b587622871f6e1c5dce229df8382fe9e60f4e9c59a17ef5f6ea2a1da5f369c4532d16256200a4c2
-
Filesize
3.5MB
MD5bcf49847a74e554a807294d4f5adfa62
SHA1c6f105b28ac3bc7dd2e4a444cf96edbcdc45febf
SHA256eae94b757fe5e150f8f1039140feebc969788bd2c0ef7fe2d4675a81f6dc9898
SHA512489cf5844853a4ba7489386a545d0369e1eca835a70053aa6e408aed7f42eaa26684859ddf50b874c643c53ae050dcd3d1a27e887e413c8db8636818ba7dcdcf
-
Filesize
216B
MD502f56b5a744c3fe90c6731cfb0b2f65b
SHA1178dafd31430842aca06c708165cd4a70a2c16ee
SHA25668dca621ea0d74c842c3a9f6d83ec72da3416447f050766621f4dbab481e807e
SHA512e0c3683959211eca4b32d87b8c53f3442fd9eea658255c8f234ca80785f3765fde57eae28cc7c8608bf3d5b83ab1dd3ac8a9c353c21473d77659db47981907a2
-
Filesize
237B
MD5851d51cdee60a57d4aef51ea7f466436
SHA134a13967e69d21091850d4f0dffb2bce88c80e0c
SHA2565d612089c06bbe2b32de8bfcc3e0ba1e0ef2155cd6cde83b280797c6061ca269
SHA5127fed60da3ed3ff2a26b8b4cadf0cf6cd3e28259a4a7ec7e3ba97509fa47b7ca75753ca49edf2f218ae323830977c2ecdfb2f05b6fa5de303038c31012926e953
-
Filesize
194B
MD569c0edf85b6d3ab82c42e82ef04f50f7
SHA17acb4d2454d9e04db488c2ee4352cfece1b8ae58
SHA2563041cc5e5c4251ea1eddccaa5d145446719d6e86dcfd3bc40bc23c80b3102ec2
SHA51204877f967609e6efb4a8c4f99c4130b3894eb223f390d32c6e2248abaf1bdff71f539f122635f18fa432648b927cc597dd7bdaa52284824f8c57c7909f7dca21
-
Filesize
1KB
MD5dc289c30c143fd2f8e608119ae4846a0
SHA12f0d6888b80d26d9ff52b5decdd63963255e5113
SHA25637aac241c050fb90090b36441ae1f198d11a0da4ee5f30e3332673f3c6ecf40a
SHA51268bffd2b69ee9d5857fc9d5b2a71561a985738b5fe0768fc7dd23a753c976529158042f2a239ffe74ed99b5bd4b469fd2220a990d20a742935f5560a55f2d6fd
-
Filesize
386B
MD5ec2b2da2434a077948b3588dc8608225
SHA116acb74e7244688e66b4c9ecbd65681b0fdfcd03
SHA25609d74391e24e7492961d4069143bc17fd670327e6be74cdca81626ced76ce700
SHA5122d04276939bd142e5c442efe29355a1e0e79a7a43e8bcd296dafcf5d30280cfefd5b726a0eec61bdad9a2f574c9bb210b54f3aae47431e11fc23ec4a95bf5c58
-
Filesize
255B
MD519c2e025a977fb83701c98e2c7e0989a
SHA18ae67ecf6e58edb5b705fdf53348533ed53b50f1
SHA2562202d506a93f118262d2ee20e9cebd76a22e6a6be9129a7785fe7b0dc530a078
SHA5122e68b0eb7f25e34b303ba5bfb2cfe1ada43ec467ebb1d78ad6efe4f521e2d88b66af28fcce98aabba8bdd90b1a138b309dbaf4d33b86e033fdfea2bbc298a3a2
-
Filesize
366B
MD5c7c7439a185d6de7ffec0151a0dd59ae
SHA1ba2d27ac46ddf2fa919a7a709ae462ac3bc87b2c
SHA256148d2d32ddd7bb64982697608eb33b0da0af385692edd22a3e85da6036609b3a
SHA5125fd83353adb87ec9348f250c634d6390630e95ae94a4bcb770edfc531e2f55b2faacf3c4857965e83f13aafd2e1375ef9ab99012953968506a8bef964a02c43b
-
Filesize
235B
MD5e73fe40b9f25495f8e3e9fc3325accb4
SHA17eb21a7ca772a13ffa64464fd9ea1e0cfc6a8324
SHA2563332ead91b25af198e2aa74118037650d623d9e740b7710661fcea139ded82b0
SHA512687a142809b1f108995d1202728faea39f0966ba581cfcfeff70da15f9f4d5843be77f5bfe6ac0e36a8c42206cc78fa1884f67c65ac171a917e4a0a91467a6da
-
Filesize
1KB
MD59446a6998523ec187daa3d79bec9c8fa
SHA116c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96
SHA256f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7
SHA512fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d
-
Filesize
3.5MB
MD5056586e6a4d9b97c77fd606b2a63f604
SHA1b13e10949df28f3944c68b950617a641ea20491b
SHA2564d3b4ef0ec929ebd649637f55aabd856954e3d6424ac337a17ee4bb65ec2e8f3
SHA512da2c4066a7975ede5c1645d6cd82f0499b452a021d18aa86ad64130efc9f1da2270be30a7af89b4cce97b0eb13c27f55f37c70db5f2f6aa4a2b5a54dcae72cc0
-
Filesize
3.3MB
MD5c9d8bce0425ed81346b9a43f148d948b
SHA1d3bcb8f02ef3732ffa70fc798cd4ad3d77bbbde6
SHA256884de0ba4d113a1674b112f76b7d6af9bb11c562d6b58155e974e549694e0f58
SHA51260e0d21db0518d66f4546dceb978b15d2eb87347cc1676b7420eb2a6c4c1c6fa947d31ae8cb70ce880b76f931702aaab51c46f559dd91a49c9a4bdc83b75368b