Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b4d16a23c4...cd.exe

windows7-x64

10

b4d16a23c4...cd.exe

windows10-2004-x64

10

b4eca0b762...e1.exe

windows7-x64

1

b4eca0b762...e1.exe

windows10-2004-x64

1

b4f9f36ada...07.exe

windows7-x64

10

b4f9f36ada...07.exe

windows10-2004-x64

10

b5002c08a1...bc.exe

windows7-x64

10

b5002c08a1...bc.exe

windows10-2004-x64

10

b55e92f4a2...a6.exe

windows7-x64

10

b55e92f4a2...a6.exe

windows10-2004-x64

10

b5687bfac8...82.exe

windows7-x64

10

b5687bfac8...82.exe

windows10-2004-x64

10

b580ffe62d...98.exe

windows7-x64

7

b580ffe62d...98.exe

windows10-2004-x64

7

b599b9b1d6...6f.exe

windows7-x64

7

b599b9b1d6...6f.exe

windows10-2004-x64

10

b5ac1858b7...1a.exe

windows7-x64

5

b5ac1858b7...1a.exe

windows10-2004-x64

5

b65e1ac2a1...74.exe

windows7-x64

10

b65e1ac2a1...74.exe

windows10-2004-x64

10

b67576c827...e2.exe

windows7-x64

10

b67576c827...e2.exe

windows10-2004-x64

10

b68768d198...a8.exe

windows7-x64

7

b68768d198...a8.exe

windows10-2004-x64

7

b6982d011a...3b.exe

windows7-x64

10

b6982d011a...3b.exe

windows10-2004-x64

10

b6b7f4db83...cc.exe

windows7-x64

3

b6b7f4db83...cc.exe

windows10-2004-x64

3

b6baedc86e...7b.exe

windows7-x64

10

b6baedc86e...7b.exe

windows10-2004-x64

10

b6cd4cbecb...e2.exe

windows7-x64

10

b6cd4cbecb...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6982d011a327e88728cfc8b6305503b.exe

  • Size

    999KB

  • MD5

    b6982d011a327e88728cfc8b6305503b

  • SHA1

    062fa217e9e470a4519cf52317103cebe8df8d20

  • SHA256

    219bf63bcfc9f321c2a5c0ca3aca0e5dfff80d7dd75537ebf2e7df9aac879ec1

  • SHA512

    32523771889fa8ad9bba0b0a4537ec8794b29a4ef68d3084e3886162bb2fdefd8251924a042bad7b5b28ef14b08aa3b81478195530c6875e78878c7355bee910

  • SSDEEP

    12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 17 IoCs
    persistence
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe
    "C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ar0OY31ljn.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2384
        • C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe
          "C:\Users\Admin\AppData\Local\Temp\b6982d011a327e88728cfc8b6305503b.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:2724
              • C:\Windows\debug\services.exe
                "C:\Windows\debug\services.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Program Files\Internet Explorer\images\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc ONSTART /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503bb" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b6982d011a327e88728cfc8b6305503b.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Microsoft\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\ProgramData\Microsoft\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Microsoft\lsass.exe'" /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2304
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Start Menu\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\ProgramData\Start Menu\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Start Menu\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503b" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6982d011a327e88728cfc8b6305503b.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "b6982d011a327e88728cfc8b6305503bb" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6982d011a327e88728cfc8b6305503b.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\Default\Cookies\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2748
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Windows\Logs\HomeGroup\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:2952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RCXBD48.tmp
        Filesize

        999KB

        MD5

        b6982d011a327e88728cfc8b6305503b

        SHA1

        062fa217e9e470a4519cf52317103cebe8df8d20

        SHA256

        219bf63bcfc9f321c2a5c0ca3aca0e5dfff80d7dd75537ebf2e7df9aac879ec1

        SHA512

        32523771889fa8ad9bba0b0a4537ec8794b29a4ef68d3084e3886162bb2fdefd8251924a042bad7b5b28ef14b08aa3b81478195530c6875e78878c7355bee910

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ar0OY31ljn.bat
        Filesize

        234B

        MD5

        d4b33b534514f4636f99da0cd9b0f3db

        SHA1

        54f999d98d7941d8f591baf89164db83891d2054

        SHA256

        648f4683e86350a30fc6c0bc6c452dc98333af0abd9c720574fb30a8b27a1430

        SHA512

        047531f7b01d2e4c03a50515e30d68604addd93bdf5f5798f867ca7b6b2fc48201066ff9259fd27c9f3c96da9e102a8069df442e6b1613fb55aeda5201931f97

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat
        Filesize

        193B

        MD5

        e12c290752d3030ec7368837b844e61d

        SHA1

        2f8817fac8c8eae252cec635f0f703c494f7a0e4

        SHA256

        4d573cefba2b2f9d02ec9d78de91a052c1a90cf94683b51c4ff2c90742ca9c98

        SHA512

        a30e1b01c0f1e464a9050368b288f54f90876ca0c774adbe8a31bbac36296764fe18c5c0c97dbc5d7cdd381260a35cce74a67bd7c03dbc739f8a9d550c36e7e5

        Download Submit

      • memory/1580-64-0x00000000001E0000-0x00000000002E0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2428-9-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2428-10-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2428-8-0x0000000000A50000-0x0000000000A5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2428-7-0x0000000000A40000-0x0000000000A4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2428-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-6-0x0000000000A30000-0x0000000000A40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-5-0x0000000000A20000-0x0000000000A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-3-0x0000000000A00000-0x0000000000A1C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2428-62-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-4-0x00000000004E0000-0x00000000004F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2428-1-0x00000000011A0000-0x00000000012A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2480-128-0x00000000002F0000-0x00000000003F0000-memory.dmp

        Filesize

        1024KB

        Download