Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:18
General
-
Target
f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
-
Size
1.6MB
-
MD5
e9a05151dfc1c4c2e84f16e25d05f6ee
-
SHA1
4bced15dc17ebf0e95cb34558e093446d394b235
-
SHA256
f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1
-
SHA512
6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af
-
SSDEEP
24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 53 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe"C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\OSPPSVC.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c41c51d-272e-49a5-bbc4-bbf43635a4d6.vbs"3⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a1ad23-8a4d-4335-962c-4d85705221ce.vbs"5⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d589361a-490f-483a-979a-2c33ba49d8b7.vbs"7⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d7bef1-d972-442c-a934-640ce602ce39.vbs"9⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8632b13f-b9e5-4740-bf8d-b9ccf0e68900.vbs"11⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55212f8d-a58d-48ee-b1ed-4949d828bcd7.vbs"13⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b6f9168-d841-4cfd-8720-a7fe379a7515.vbs"15⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e17cdd1-9bda-45b4-a81c-b0f3e28efb6b.vbs"17⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fd3061-a179-431a-8b92-a43944df22f5.vbs"19⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2103ca-ab36-4d78-84e6-a2857e3ad1b7.vbs"21⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b241a7f3-a31e-420e-bf18-5e9cb2db68af.vbs"23⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb3c30f-c636-4904-a035-8dd77f2105f0.vbs"25⤵
-
C:\Program Files (x86)\Internet Explorer\explorer.exe"C:\Program Files (x86)\Internet Explorer\explorer.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1846a0f8-4e0d-40a5-a25d-25f27673e63f.vbs"27⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b762ac7-1b20-45c3-b881-e64504b92cac.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\830bf09b-2bf6-464a-a4e3-1cb21109214d.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cc43f7-e39f-4d54-89cc-b95be123ac95.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba3dc98-1788-4c9e-8eff-b19291e1ed81.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a87e1a-255d-46f5-baeb-062f8eaf3dac.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b6d014-c212-4d50-901b-cdafb3e01347.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50cace04-3c36-4598-acee-bb021126e9ea.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c756bc-b10a-4b6a-8804-02a4deee2547.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fb21f6-b227-48b2-84e3-811a93d9d657.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ff5dd9-823a-40ec-a146-573515bca16f.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8125a130-3fa6-40d8-97e3-a77bebd59555.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0137eebe-eaae-4f02-a9d9-e279c1804788.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200b6a56-0233-43b7-a356-5ce94b8a5f9d.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1f" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1f" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD565fbb2f96c55a5005c50509d1fb66924
SHA108dc85ebb987a04cba15925bdc136bd93d5a2dbc
SHA256c8bee22d01fed0635f1b67cb8e29e757ba802dc92656cd0e4db8d57f423605eb
SHA512bc5fc84f08c17a578e8eb2a87d4179124c657dedb2248b576581da50713452fc26189002de73ebf32adb2097cb4990f2965db5881bbf209466a324bec5ed96de
-
Filesize
1.6MB
MD5799686b8afbb3bdd23a22aa73fdc19fd
SHA13453b63457ba1c3aee7cc6f561711e855f5a9068
SHA256a5e9e2a4c4d3fa7a927dcbcaca047b6f025c55119d3393dad829248f9b4af52c
SHA512d91485f32cd2f5bdbf93de775998d2ad0a3e6e4f40c364e30458634db1d84fd207bac9e594c5ea010e9bd5cc0b7627a46f50b6c1bb1e6cb7570ae4fc2f824f21
-
Filesize
1.6MB
MD50066f8a171f74cf95eda221a0f6d5f92
SHA19d0fdfbd25008ba1c95a4046038e3fb0fbd87975
SHA2565cb7ca259219356c4ce4089c774af2f3fe005f000d11ff245a869bb449ca2770
SHA512554a203555f28dfba33d899b2f769b5aef11a59e562c839737e94ca0b6a2ebcd3cc47a2fce59e7be27eebe580b8c34b2a4a20a388db7cccaff9bb65bf81e721a
-
Filesize
1.6MB
MD5e9a05151dfc1c4c2e84f16e25d05f6ee
SHA14bced15dc17ebf0e95cb34558e093446d394b235
SHA256f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1
SHA5126bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af
-
Filesize
1.6MB
MD5420ae8a6b309ba492304463c9fa57ba8
SHA1ffeb9451b71bef3fc6d7760117551238a4510b9b
SHA256028982fca887a0aa235ed3263a908fe8f9def43c4fd35add1bbdb60cf1754560
SHA5126778c64aa33de6f2500f313e5c4987143a5061765dab93bceb901e9235f58acd056e63aa7b18dfde5838af25fda9b5e5066cebe3e3ba83cf22e2bd6b9e7e8c72
-
Filesize
505B
MD55951b9b0e809f9dc9e51b19cf66abb72
SHA17801eb10ed8cfb8a21d37497bae59d910306998e
SHA256881d92f73623db92ef460bb61ffe2b37525714a860397dc70b8d98719e4ab4c2
SHA512e2764f0d640dad60ed56bf9611ae012d77df0992155182a61beaee0879073dea1f521ce5a79384c2f3a72e4a0215325907281f4597893618b8624e83be57676e
-
Filesize
728B
MD50ffe411c9b26e225b883ef64993318ba
SHA1fd948466b66b6cbe81d6076281c5546232d5d863
SHA2569e0ef36d2c5aed2fd9e5048a33bd74b461d4f50569ac5a6e34d228d3181e566a
SHA5121bebe48e5b833716aa95bb3b2433845bf653311a86e74c93a8493f9870c9e952c0edb6dd8e8290fdea8081c91cd5f1ac344016d23f7b5f8088e03c0ab97e4367
-
Filesize
729B
MD5e9662373e9f298b11d9a470d810e8a56
SHA1e831f392d9d38b84bbcaf0bfa29a33a08be40386
SHA25652eeee3303455b0739a25f303764adf8882ad416e9e8d850bee19692986752b6
SHA512afff8b7427e8c92f4d987eeac1762466f96b3d6aa75fe922f28a2d73fabfd612dabd63ec38d2da167c33b0d580d5575072126c59e097358b830f78aa2f753c38
-
Filesize
729B
MD5ed85718fdf0f0b33a0a2d182713f842b
SHA1cf749a12e6653e4f4abf958e9370acf4294d0c40
SHA2565499d62658e7d64dc62634ebef3d052875c02402a38d7d4386ae0e2a9b7c5daa
SHA5126adb598c208c65021357ee618c34a42c06fd81237a40e5180893264659dacf297ab8acc82970a8ad85b9741509fb2e86ede128f19add7cb3ac2aa5adb245c93d
-
Filesize
729B
MD5ee301ac24842c08ce6e637a2471096f3
SHA1587e0ed3eece40b86240c6770b4ba1d66712c605
SHA2566c7b041e386dd4f50c183d57cefab6a785ce761d783d1d61a9506df17e217d3a
SHA512d65bef5694554c5b6950b46c3333b2123d7b94b12f4c40dfc3659a5dcb5a2c9cdcf043442b59d247734f251ff5b22fda87a5406a74e539ec9fd1c06fc25f57ec
-
Filesize
729B
MD5898471d752fa946b7c863fd5da12dee2
SHA17d38e2ea23a12e1a3ec00fc33c38b7adfefe5acf
SHA256753d4458fa907a72a50267461d13c003115f79d906898496b53043e43aa7fe9e
SHA5128e1be42e1a8dc9a1333772d803c22937f3e311317f625d470ade8e44cdbc5445ed18923fe763b386d10087f9acdcb01b7774b53e3c2550722a5a7f888be9a5a7
-
Filesize
729B
MD554b4793f5066374a29d8a5ea1fb06ab9
SHA10c268681a27fc3bfe040995ee03031fa5112bf45
SHA2560a17f65f7fc1771ed5038179f8781aadc0d716ed7dc3cc73e9d23885204b9d39
SHA5124cd5f682beddf8f626436e64ade43bc580fc4c8cad69a5b4c65a1b361f6a6c38b45a42c063d2fdc84f2850673b8fbdbe562c5ac7db07c3719f9fe3135c4c7ff3
-
Filesize
729B
MD5db4ec2fe777f433687cd2e79f772790e
SHA1a075359840b2ecc01a39f83a1e3194e0bf3adc69
SHA25611b43cfab12984adc961b1c7dc9c9849539587b4e5ee5a1b29dd74f8d623fc8f
SHA5128b6f7872f19e6ecbba50c52be080c7e8e5fab24a178c66735191d2bbbbbf4f2641b1a1f74c9eec1894815e4ae22357749d89d5ac2c25cc4d54a833d1dc3e42ef
-
Filesize
729B
MD50d99707727af6480e52572de3c6c741a
SHA1b25740c4ca91b5a3caff1cd001655fbe6947a107
SHA256f832db96c180097b5930cbfe5519cb224a64e083c3077bfcc2a71327116bb0c7
SHA512476598457ea62e07f7de12741f5d6ce7b77b99e5a2c72c7c5441b25e17603a98c229c433a6c2757e8eebf82c8eeb68ea42861591ce11c99d6cd8ba446aceda2d
-
Filesize
728B
MD5bd3fda20d1995d9a24ee77177ed99660
SHA1f3edfdfb72264ce0063dea510a30de61a6d6e937
SHA25639751dd96b7a6fa7255ada843db837f610d2ee35662270235e9b5a741366f2de
SHA5120a5e92956df951b2d619353af9b6f46781bc24a5debdd2ae6b68694cb561fec2fb27d5a4c5a1abdbc3f35e584cef41ed1cddc0cbf2490e7397da5c9f78c407ca
-
Filesize
729B
MD57af1041d5ad239077e884a6a4bac471e
SHA17ff0f8fc143f9b7cddd1379961bd297a76fb75cf
SHA2564addb67f572af99b7ac2a5fa962fbe3e69884dfcbca340f0d00d044faa95660c
SHA512d48e82b635fbe8bca41acb63e924d1374d158cf8953838b6ea0b9475d93801d26afd6e1a74700dcafe1c50e6e8d5e0f7c5cdeed6d4a9bc906808f23664ecab5c
-
Filesize
729B
MD5783a3f1be9e1c9798d58bcffd8b612b2
SHA107c97a57482f615f6b0985f63608e0e9b0bc0d9f
SHA256d809aa92ea59b58daecaea64906efe842add31d9bd93cc7822ac72568f816fdd
SHA512f99d6846fa9d26be3f99a0599a7a2bd5f3a43eb9d962ddbf352e8f5ef265bf74ebbe4dc1fe7c8d26daa87880e338816c7e0dc8ce1736ef542dc94cdf6c5cb454
-
Filesize
7KB
MD5b83430ec19d54d0b28e30b9551021e26
SHA11bcb4abffbc1087c0713dfec7dc4388a70899da1
SHA25689506aa43951434ddaf1e86a19701c524b487ec3bafd47d092c93d9972992bb3
SHA51244e4f6e8133a2ee8dfab2788fc636d6c66da29b2485878bce63e499e06a0050506e0246ca16aadcae279e5110e1d7e6705af5b69fae8afcaf0e0f99754cfea31
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
1.6MB