Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 13:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
RTPLaucnher.exe
Resource
win7-20240708-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral2
Sample
RTPLaucnher.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
21 signatures
300 seconds
General
-
Target
RTPLaucnher.exe
-
Size
1.2MB
-
MD5
be2c49c5b125229b6a2888c15bc325a3
-
SHA1
a8f06f5075201f15040cda52a3db33cabf09eb43
-
SHA256
1369a84b1d457d45e6342d774a926c9b80afdf52620a7da9be77b2ab95559800
-
SHA512
630c589bfc642893de2d28691b4d1d25029e6b1160633bff6657a4591b4a07cdeefe4f5aebde31b638ef3febae24f817fbf2c4ffd559ea39df1cd9a470622dce
-
SSDEEP
24576:ruDXTIGaPhEYzUzA0niBceY2mb7vwKE5ziV5kD12wxc3C0FqVj8GACbZfsV:iDjlabwz9iB82OvwKE5GV5k5c3XFqp8D
Malware Config
Signatures
-
Njrat family
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation RTPLaucnher.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation RTP_Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation RTPLaucnher.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation RTP_Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation 1.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3deffefe0e2775360ccb15d96c6aeb42.exe dllhost.exe -
Executes dropped EXE 11 IoCs
pid Process 3680 RTP_Launcher.exe 4624 RTC_Launcher.exe 1816 1.exe 2288 dllhost.exe 2228 RTP_Launcher.exe 4740 RTC_Launcher.exe 820 1.exe 1272 dllhost.exe 4780 dllhost.exe 1516 dllhost.exe 516 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3deffefe0e2775360ccb15d96c6aeb42 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
pid Process 3404 powershell.exe 632 powershell.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 212 sc.exe 4412 sc.exe 1952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 632 powershell.exe 632 powershell.exe 632 powershell.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4740 RTC_Launcher.exe 4740 RTC_Launcher.exe 3404 powershell.exe 3404 powershell.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe 1272 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 4624 RTC_Launcher.exe Token: SeDebugPrivilege 4636 taskmgr.exe Token: SeSystemProfilePrivilege 4636 taskmgr.exe Token: SeCreateGlobalPrivilege 4636 taskmgr.exe Token: SeDebugPrivilege 632 powershell.exe Token: 33 4636 taskmgr.exe Token: SeIncBasePriorityPrivilege 4636 taskmgr.exe Token: SeDebugPrivilege 4740 RTC_Launcher.exe Token: SeDebugPrivilege 3404 powershell.exe Token: SeDebugPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe Token: 33 1272 dllhost.exe Token: SeIncBasePriorityPrivilege 1272 dllhost.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe -
Suspicious use of SendNotifyMessage 62 IoCs
pid Process 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe 4636 taskmgr.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3680 5032 RTPLaucnher.exe 99 PID 5032 wrote to memory of 3680 5032 RTPLaucnher.exe 99 PID 5032 wrote to memory of 4624 5032 RTPLaucnher.exe 102 PID 5032 wrote to memory of 4624 5032 RTPLaucnher.exe 102 PID 3680 wrote to memory of 1816 3680 RTP_Launcher.exe 103 PID 3680 wrote to memory of 1816 3680 RTP_Launcher.exe 103 PID 3680 wrote to memory of 1816 3680 RTP_Launcher.exe 103 PID 1816 wrote to memory of 2288 1816 1.exe 105 PID 1816 wrote to memory of 2288 1816 1.exe 105 PID 1816 wrote to memory of 2288 1816 1.exe 105 PID 3632 wrote to memory of 632 3632 cmd.exe 115 PID 3632 wrote to memory of 632 3632 cmd.exe 115 PID 3632 wrote to memory of 632 3632 cmd.exe 115 PID 3388 wrote to memory of 2228 3388 RTPLaucnher.exe 122 PID 3388 wrote to memory of 2228 3388 RTPLaucnher.exe 122 PID 3388 wrote to memory of 4740 3388 RTPLaucnher.exe 123 PID 3388 wrote to memory of 4740 3388 RTPLaucnher.exe 123 PID 2228 wrote to memory of 820 2228 RTP_Launcher.exe 124 PID 2228 wrote to memory of 820 2228 RTP_Launcher.exe 124 PID 2228 wrote to memory of 820 2228 RTP_Launcher.exe 124 PID 820 wrote to memory of 1272 820 1.exe 126 PID 820 wrote to memory of 1272 820 1.exe 126 PID 820 wrote to memory of 1272 820 1.exe 126 PID 1272 wrote to memory of 2764 1272 dllhost.exe 128 PID 1272 wrote to memory of 2764 1272 dllhost.exe 128 PID 1272 wrote to memory of 2764 1272 dllhost.exe 128 PID 1272 wrote to memory of 632 1272 dllhost.exe 130 PID 1272 wrote to memory of 632 1272 dllhost.exe 130 PID 1272 wrote to memory of 632 1272 dllhost.exe 130 PID 632 wrote to memory of 3404 632 cmd.exe 132 PID 632 wrote to memory of 3404 632 cmd.exe 132 PID 632 wrote to memory of 3404 632 cmd.exe 132 PID 1272 wrote to memory of 4900 1272 dllhost.exe 133 PID 1272 wrote to memory of 4900 1272 dllhost.exe 133 PID 1272 wrote to memory of 4900 1272 dllhost.exe 133 PID 4900 wrote to memory of 212 4900 cmd.exe 135 PID 4900 wrote to memory of 212 4900 cmd.exe 135 PID 4900 wrote to memory of 212 4900 cmd.exe 135 PID 1272 wrote to memory of 4212 1272 dllhost.exe 136 PID 1272 wrote to memory of 4212 1272 dllhost.exe 136 PID 1272 wrote to memory of 4212 1272 dllhost.exe 136 PID 4212 wrote to memory of 4412 4212 cmd.exe 138 PID 4212 wrote to memory of 4412 4212 cmd.exe 138 PID 4212 wrote to memory of 4412 4212 cmd.exe 138 PID 1272 wrote to memory of 1264 1272 dllhost.exe 139 PID 1272 wrote to memory of 1264 1272 dllhost.exe 139 PID 1272 wrote to memory of 1264 1272 dllhost.exe 139 PID 1264 wrote to memory of 1952 1264 cmd.exe 141 PID 1264 wrote to memory of 1952 1264 cmd.exe 141 PID 1264 wrote to memory of 1952 1264 cmd.exe 141 PID 1272 wrote to memory of 4100 1272 dllhost.exe 142 PID 1272 wrote to memory of 4100 1272 dllhost.exe 142 PID 1272 wrote to memory of 4100 1272 dllhost.exe 142 PID 1272 wrote to memory of 4468 1272 dllhost.exe 144 PID 1272 wrote to memory of 4468 1272 dllhost.exe 144 PID 1272 wrote to memory of 4468 1272 dllhost.exe 144 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3616 attrib.exe 2764 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RTPLaucnher.exe"C:\Users\Admin\AppData\Local\Temp\RTPLaucnher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3616
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4636
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\RTPLaucnher.exe"C:\Users\Admin\AppData\Local\Temp\RTPLaucnher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2764
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\sc.exesc query windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\sc.exesc stop windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\sc.exesc delete windefend6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1952
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f5⤵
- System Location Discovery: System Language Discovery
PID:4100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4468
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD56cecc479dba8f0cc1b8494a2900536bb
SHA1ea99895a8ccae32fecc554e6fffb014df58c2845
SHA256052a2063b785a9821263501bd1d3e552016ce79a2cba7a4c0ecce9017621ef6c
SHA5123700937599bd2c7e2c6654372e267c503d86be4c957f9312d202c6eca82058b6b9d681fcad78294c59b632fde86df1f00430d97b312aebd3ec5fd10bb6de952d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
83KB
MD5fc2d4b9309debcea8f52537442d05b81
SHA1ca5a2b9a954f0f1d2d553429a85470af9d02e131
SHA2567c797c4bcbf2c867c4e2e62e7db64389faa7ff2baf94dcb85c5d3040bc17c6ce
SHA5128fcbcf041045c00f9bb8e9571c2f357db6967f9dceef01b166635072f136e038ba0a0d5989852b5f02a537ed157fbd2bf5b0780a12aa339c0f0bbfd680bd78e8
-
Filesize
758KB
MD5cb1929328dea316fcb34f3486697d16e
SHA18c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA2567a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA51290ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28
-
Filesize
519KB
MD5a40b8cf101834a796e8bda79f60d5707
SHA13b025c326303fe183642a9ac2c9bfaa5c0911380
SHA256d4fa450eca9bf6a80015d4b92c09068b4fad6cb0b0b737cf28bca3ba659fa025
SHA512e5af5e7bbe3a9db0daa6d1f89c52d21563457b79ba2ca2ce4e017ac696e6fa5ec17e83086cbce506945419e63d9fa595bdbfb40278ce783d416f27c1f917b854