Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f2259737b9...1a.exe

windows7-x64

10

f2259737b9...1a.exe

windows10-2004-x64

10

f26d7a7648...57.exe

windows7-x64

10

f26d7a7648...57.exe

windows10-2004-x64

10

f2728425ca...99.exe

windows7-x64

10

f2728425ca...99.exe

windows10-2004-x64

10

f27c496378...29.exe

windows7-x64

10

f27c496378...29.exe

windows10-2004-x64

10

f2e7cee938...9a.exe

windows7-x64

10

f2e7cee938...9a.exe

windows10-2004-x64

10

f2fe22a9b8...f7.exe

windows7-x64

1

f2fe22a9b8...f7.exe

windows10-2004-x64

1

f329b3a2d6...ab.exe

windows7-x64

10

f329b3a2d6...ab.exe

windows10-2004-x64

10

f34854f659...a1.exe

windows7-x64

10

f34854f659...a1.exe

windows10-2004-x64

10

f35d502490...e2.exe

windows7-x64

10

f35d502490...e2.exe

windows10-2004-x64

10

f36fde0983...fb.exe

windows7-x64

1

f36fde0983...fb.exe

windows10-2004-x64

1

f373a271fe...72.exe

windows7-x64

10

f373a271fe...72.exe

windows10-2004-x64

10

f386c97ec3...ed.exe

windows7-x64

10

f386c97ec3...ed.exe

windows10-2004-x64

10

f3873b73a0...14.exe

windows7-x64

10

f3873b73a0...14.exe

windows10-2004-x64

10

f3a76e9615...78.exe

windows7-x64

10

f3a76e9615...78.exe

windows10-2004-x64

10

f3eedde12e...df.exe

windows7-x64

10

f3eedde12e...df.exe

windows10-2004-x64

10

f3ef636642...36.exe

windows7-x64

10

f3ef636642...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3873b73a0b2ef5c54ba8ed8a571bc14.exe

  • Size

    1.1MB

  • MD5

    f3873b73a0b2ef5c54ba8ed8a571bc14

  • SHA1

    404a503b0a98f21c4adc006ebd7a51466aa1e52d

  • SHA256

    e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f

  • SHA512

    02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a

  • SSDEEP

    12288:96NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:96NReJXJIwvJgVQSoPEzKkLXa

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
    persistence
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 38 IoCs
    persistence
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
    "C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Program Files (x86)\Microsoft.NET\taskhost.exe
      "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2016
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1364
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:900
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Games\Chess\es-ES\System.exe
    Filesize

    1.1MB

    MD5

    91e906aaf39dc7f3051fb282d67e00b7

    SHA1

    565d394d6a5dd0d4f2b0adac0b28135135f403cc

    SHA256

    da864210380d84e129180a04f47555768a908f5512ccfb5d983cb30e5322ef11

    SHA512

    e4649408aee595a8cd20336c0e57137654c1087410fc006a4706888bd7d21cf52ddc6a534bca226ab63aa5dbeebfa753da1253ce48aeee9abd6d8a1fa2462a0c

    Download Submit

  • C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe
    Filesize

    1.1MB

    MD5

    8464a8ea3ea56ee5013ac39a676336d8

    SHA1

    f12d414cc94f5a23369c86b3553b477a41aab4f2

    SHA256

    061a62f9ff927347b65f26563a33b5c90e325797751e144a7e218af7a2068781

    SHA512

    27f115a4d63758f73dcedbade1d5ce4c5abd4b68fee4a779b04ae4f54671ecf7c179f879ba586e65d4bc233a4c4e7cd46f074ba2a00f0f3449e820788d3f2574

    Download Submit

  • C:\Windows\Media\Calligraphy\OSPPSVC.exe
    Filesize

    1.1MB

    MD5

    f3873b73a0b2ef5c54ba8ed8a571bc14

    SHA1

    404a503b0a98f21c4adc006ebd7a51466aa1e52d

    SHA256

    e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f

    SHA512

    02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a

    Download Submit

  • memory/1028-6-0x00000000003F0000-0x0000000000402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1028-5-0x0000000000480000-0x0000000000496000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1028-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-8-0x00000000004B0000-0x00000000004BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1028-9-0x00000000004D0000-0x00000000004E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1028-7-0x00000000004C0000-0x00000000004D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1028-12-0x00000000022E0000-0x00000000022EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1028-11-0x00000000020C0000-0x00000000020CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1028-10-0x0000000000500000-0x0000000000508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1028-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1028-4-0x00000000001C0000-0x00000000001D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1028-112-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1028-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1028-126-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1028-1-0x0000000000920000-0x0000000000A4C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1028-189-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2708-188-0x0000000000B30000-0x0000000000C5C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2708-190-0x00000000004A0000-0x00000000004B2000-memory.dmp

    Filesize

    72KB

    Download