Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
262s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
Desktop.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Desktop.exe
Resource
win10v2004-20250129-en
General
-
Target
Desktop.exe
-
Size
1.2MB
-
MD5
5833c4689f6bbc304244301c22fddd3f
-
SHA1
6bc8af057a2f44745b3e0ff83b54da8f9aea0aa9
-
SHA256
8754de98bb6c8a9684c964b0453d69fb1dc619236c8b3bbf6495e47f5200bafe
-
SHA512
2c54c61e73c6cea8e1b16ce1888da64094cce5dfa8e00f8d14b66c9aee411eaf5183f46d8f7c9d87d6dd9489b4d3d604a355643e1493c0173407ae29de85b28a
-
SSDEEP
24576:yuDXTIGaPhEYzUzA0bBY2mb7vwKE5ziV5kD12wxc3C0FqVj8GACbZfsV:1Djlabwz9K2OvwKE5GV5k5c3XFqp8fdV
Malware Config
Signatures
-
Njrat family
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Desktop.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation RTP_Launcher.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe dllhost.exe -
Executes dropped EXE 11 IoCs
pid Process 452 RTP_Launcher.exe 2624 RTC_Launcher.exe 4076 1.exe 3556 dllhost.exe 4256 dllhost.exe 2288 c4dcbc5831444c439af6c44ef399b75b.exe 4352 9be3e1982fbf46388fa6be2b4646a175.exe 3980 92074149b9204fbeba672fe752b2bc29.exe 1312 dllhost.exe 2896 dllhost.exe 3856 dllhost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
pid Process 3924 powershell.exe 640 powershell.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1536 sc.exe 1776 sc.exe 3560 sc.exe 3556 sc.exe 2572 sc.exe 5012 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1060 schtasks.exe 1900 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3924 powershell.exe 3924 powershell.exe 3096 taskmgr.exe 3924 powershell.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe 3556 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3556 dllhost.exe 1312 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2624 RTC_Launcher.exe Token: SeDebugPrivilege 3096 taskmgr.exe Token: SeSystemProfilePrivilege 3096 taskmgr.exe Token: SeCreateGlobalPrivilege 3096 taskmgr.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 3556 dllhost.exe Token: 33 3556 dllhost.exe Token: SeIncBasePriorityPrivilege 3556 dllhost.exe Token: 33 3556 dllhost.exe Token: SeIncBasePriorityPrivilege 3556 dllhost.exe Token: 33 3556 dllhost.exe Token: SeIncBasePriorityPrivilege 3556 dllhost.exe Token: 33 3808 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3808 AUDIODG.EXE Token: 33 3556 dllhost.exe Token: SeIncBasePriorityPrivilege 3556 dllhost.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe Token: 33 1312 dllhost.exe Token: SeIncBasePriorityPrivilege 1312 dllhost.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe 3096 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4584 wrote to memory of 452 4584 Desktop.exe 109 PID 4584 wrote to memory of 452 4584 Desktop.exe 109 PID 4584 wrote to memory of 2624 4584 Desktop.exe 110 PID 4584 wrote to memory of 2624 4584 Desktop.exe 110 PID 452 wrote to memory of 4076 452 RTP_Launcher.exe 111 PID 452 wrote to memory of 4076 452 RTP_Launcher.exe 111 PID 452 wrote to memory of 4076 452 RTP_Launcher.exe 111 PID 4076 wrote to memory of 3556 4076 1.exe 115 PID 4076 wrote to memory of 3556 4076 1.exe 115 PID 4076 wrote to memory of 3556 4076 1.exe 115 PID 3556 wrote to memory of 5048 3556 dllhost.exe 117 PID 3556 wrote to memory of 5048 3556 dllhost.exe 117 PID 3556 wrote to memory of 5048 3556 dllhost.exe 117 PID 3556 wrote to memory of 3688 3556 dllhost.exe 120 PID 3556 wrote to memory of 3688 3556 dllhost.exe 120 PID 3556 wrote to memory of 3688 3556 dllhost.exe 120 PID 3688 wrote to memory of 3924 3688 cmd.exe 122 PID 3688 wrote to memory of 3924 3688 cmd.exe 122 PID 3688 wrote to memory of 3924 3688 cmd.exe 122 PID 3556 wrote to memory of 4308 3556 dllhost.exe 124 PID 3556 wrote to memory of 4308 3556 dllhost.exe 124 PID 3556 wrote to memory of 4308 3556 dllhost.exe 124 PID 4308 wrote to memory of 1536 4308 cmd.exe 126 PID 4308 wrote to memory of 1536 4308 cmd.exe 126 PID 4308 wrote to memory of 1536 4308 cmd.exe 126 PID 3556 wrote to memory of 1992 3556 dllhost.exe 127 PID 3556 wrote to memory of 1992 3556 dllhost.exe 127 PID 3556 wrote to memory of 1992 3556 dllhost.exe 127 PID 1992 wrote to memory of 1776 1992 cmd.exe 129 PID 1992 wrote to memory of 1776 1992 cmd.exe 129 PID 1992 wrote to memory of 1776 1992 cmd.exe 129 PID 3556 wrote to memory of 3364 3556 dllhost.exe 130 PID 3556 wrote to memory of 3364 3556 dllhost.exe 130 PID 3556 wrote to memory of 3364 3556 dllhost.exe 130 PID 3364 wrote to memory of 3560 3364 cmd.exe 132 PID 3364 wrote to memory of 3560 3364 cmd.exe 132 PID 3364 wrote to memory of 3560 3364 cmd.exe 132 PID 3556 wrote to memory of 760 3556 dllhost.exe 133 PID 3556 wrote to memory of 760 3556 dllhost.exe 133 PID 3556 wrote to memory of 760 3556 dllhost.exe 133 PID 3556 wrote to memory of 1060 3556 dllhost.exe 135 PID 3556 wrote to memory of 1060 3556 dllhost.exe 135 PID 3556 wrote to memory of 1060 3556 dllhost.exe 135 PID 3556 wrote to memory of 2288 3556 dllhost.exe 140 PID 3556 wrote to memory of 2288 3556 dllhost.exe 140 PID 3556 wrote to memory of 4352 3556 dllhost.exe 143 PID 3556 wrote to memory of 4352 3556 dllhost.exe 143 PID 3556 wrote to memory of 3980 3556 dllhost.exe 144 PID 3556 wrote to memory of 3980 3556 dllhost.exe 144 PID 1312 wrote to memory of 456 1312 dllhost.exe 158 PID 1312 wrote to memory of 456 1312 dllhost.exe 158 PID 1312 wrote to memory of 456 1312 dllhost.exe 158 PID 1312 wrote to memory of 1036 1312 dllhost.exe 160 PID 1312 wrote to memory of 1036 1312 dllhost.exe 160 PID 1312 wrote to memory of 1036 1312 dllhost.exe 160 PID 1036 wrote to memory of 640 1036 cmd.exe 162 PID 1036 wrote to memory of 640 1036 cmd.exe 162 PID 1036 wrote to memory of 640 1036 cmd.exe 162 PID 1312 wrote to memory of 772 1312 dllhost.exe 163 PID 1312 wrote to memory of 772 1312 dllhost.exe 163 PID 1312 wrote to memory of 772 1312 dllhost.exe 163 PID 772 wrote to memory of 3556 772 cmd.exe 165 PID 772 wrote to memory of 3556 772 cmd.exe 165 PID 772 wrote to memory of 3556 772 cmd.exe 165 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5048 attrib.exe 456 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exe"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"1⤵PID:1520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exe"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5048
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\sc.exesc query windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\sc.exesc stop windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\sc.exesc delete windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3560
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f5⤵
- System Location Discovery: System Language Discovery
PID:760
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\c4dcbc5831444c439af6c44ef399b75b.exe"C:\Users\Admin\AppData\Local\Temp\c4dcbc5831444c439af6c44ef399b75b.exe"5⤵
- Executes dropped EXE
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\9be3e1982fbf46388fa6be2b4646a175.exe"C:\Users\Admin\AppData\Local\Temp\9be3e1982fbf46388fa6be2b4646a175.exe"5⤵
- Executes dropped EXE
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\92074149b9204fbeba672fe752b2bc29.exe"C:\Users\Admin\AppData\Local\Temp\92074149b9204fbeba672fe752b2bc29.exe"5⤵
- Executes dropped EXE
PID:3980
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3096
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4256
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x1501⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:456
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\sc.exesc query windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend2⤵
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\sc.exesc stop windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend2⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\sc.exesc delete windefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5012
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f2⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD513359149579e2d2855d13bdb42169f78
SHA1a423b9590bc5a41b51ac50eaaa8ab01bc4dd7532
SHA256316b4c52727c53fbcf96cd7b9c112aeaa868feb8b4fddee0b7b203f37efcaf1b
SHA512a62f2a42aa97e29aa7ee81b82d2a217ef2b5cf64516888425ffc18a80b13b1ae30b5c054c052018ac3c55660599301db90cca14fa57c476cefd38447cc2e2dde
-
Filesize
997KB
MD528aaac578be4ce06cb695e4f927b4302
SHA1880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e
SHA2568929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc
SHA512068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
844KB
MD58cac1595b184f66d7a122af38d5dfe71
SHA1e0bc0162472edf77a05134e77b540663ac050ab6
SHA25600201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f
SHA51288d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8
-
Filesize
83KB
MD5fc2d4b9309debcea8f52537442d05b81
SHA1ca5a2b9a954f0f1d2d553429a85470af9d02e131
SHA2567c797c4bcbf2c867c4e2e62e7db64389faa7ff2baf94dcb85c5d3040bc17c6ce
SHA5128fcbcf041045c00f9bb8e9571c2f357db6967f9dceef01b166635072f136e038ba0a0d5989852b5f02a537ed157fbd2bf5b0780a12aa339c0f0bbfd680bd78e8
-
Filesize
758KB
MD5cb1929328dea316fcb34f3486697d16e
SHA18c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA2567a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA51290ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28
-
Filesize
519KB
MD5a40b8cf101834a796e8bda79f60d5707
SHA13b025c326303fe183642a9ac2c9bfaa5c0911380
SHA256d4fa450eca9bf6a80015d4b92c09068b4fad6cb0b0b737cf28bca3ba659fa025
SHA512e5af5e7bbe3a9db0daa6d1f89c52d21563457b79ba2ca2ce4e017ac696e6fa5ec17e83086cbce506945419e63d9fa595bdbfb40278ce783d416f27c1f917b854