Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

90ed1454b8...38.exe

windows7-x64

10

90ed1454b8...38.exe

windows10-2004-x64

10

91570920da...cf.exe

windows7-x64

10

91570920da...cf.exe

windows10-2004-x64

7

915c452bf2...b6.exe

windows7-x64

10

915c452bf2...b6.exe

windows10-2004-x64

10

916cd92d3a...38.exe

windows7-x64

10

916cd92d3a...38.exe

windows10-2004-x64

10

916fbe67a7...e3.exe

windows7-x64

10

916fbe67a7...e3.exe

windows10-2004-x64

10

91cce1a9f4...6a.exe

windows7-x64

10

91cce1a9f4...6a.exe

windows10-2004-x64

10

91d2e3f758...f6.exe

windows7-x64

10

91d2e3f758...f6.exe

windows10-2004-x64

10

91d7fa8d89...52.exe

windows7-x64

10

91d7fa8d89...52.exe

windows10-2004-x64

10

91e6d47bd8...cc.exe

windows7-x64

7

91e6d47bd8...cc.exe

windows10-2004-x64

7

92105c7a3b...24.exe

windows7-x64

7

92105c7a3b...24.exe

windows10-2004-x64

7

921421b7f5...09.exe

windows7-x64

10

921421b7f5...09.exe

windows10-2004-x64

10

9221b9eea3...3c.exe

windows7-x64

1

9221b9eea3...3c.exe

windows10-2004-x64

10

92324d5776...05.exe

windows7-x64

1

92324d5776...05.exe

windows10-2004-x64

1

927cd0bd1a...b8.exe

windows7-x64

3

927cd0bd1a...b8.exe

windows10-2004-x64

3

92efd55895...78.exe

windows7-x64

10

92efd55895...78.exe

windows10-2004-x64

10

932a9096cd...eb.exe

windows7-x64

10

932a9096cd...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    932a9096cd16630970f2bdc5e6cb9aeb.exe

  • Size

    5.9MB

  • MD5

    932a9096cd16630970f2bdc5e6cb9aeb

  • SHA1

    52d4a032ac5cbdbb8bed5b401283c1b49201ca92

  • SHA256

    79edf19412f95a9de108ec3ccdbaa450eab559c421768ff53a184da9563fc190

  • SHA512

    5fd9f0de72eb989d27c3a46a6ff1e79a61576bf24089437d73e0c2eead05f3a14a326966d9176a993f2b7289bbfe70206ea001742517e24e23e108577694aaeb

  • SSDEEP

    98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4y:xyeU11Rvqmu8TWKnF6N/1wX

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\932a9096cd16630970f2bdc5e6cb9aeb.exe
    "C:\Users\Admin\AppData\Local\Temp\932a9096cd16630970f2bdc5e6cb9aeb.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Users\Default User\OSPPSVC.exe
      "C:\Users\Default User\OSPPSVC.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:620
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43e91807-cbfd-4b7d-8601-faeb2f12caea.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Users\Default User\OSPPSVC.exe
          "C:\Users\Default User\OSPPSVC.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2264
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e894d5d9-e725-424d-a04f-f4221990c73f.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Users\Default User\OSPPSVC.exe
              "C:\Users\Default User\OSPPSVC.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2376
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09b1ace2-83e0-4970-8b42-bb46ec11bd93.vbs"
                7⤵
                  PID:1932
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bde0c4d-1d42-4e43-baf7-86a79304eb0b.vbs"
                  7⤵
                    PID:2760
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24c0dbf6-22ca-4dcd-b1d7-1bc8ba7715af.vbs"
                5⤵
                  PID:548
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc39733d-a041-4fa1-a86a-61e1537220df.vbs"
              3⤵
                PID:324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2264
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1428
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1432
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:264
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "932a9096cd16630970f2bdc5e6cb9aeb9" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\932a9096cd16630970f2bdc5e6cb9aeb.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "932a9096cd16630970f2bdc5e6cb9aeb" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\932a9096cd16630970f2bdc5e6cb9aeb.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3032
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "932a9096cd16630970f2bdc5e6cb9aeb9" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\932a9096cd16630970f2bdc5e6cb9aeb.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2424
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:852

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe
            Filesize

            5.9MB

            MD5

            7084ad0e9c3b3be0bc773a3fa8088d6d

            SHA1

            3f4ac8d10a46b79bfd0925de0f6ca13345a2db2e

            SHA256

            2479012c1246f12a3972b0932f4ae106d9845113827dcf10578daec8e74cd5c2

            SHA512

            669e53162882d2ff4fe4c1a69bcc8f641a290db5c1f6b75015908095cbef7da9c9faf097a12e9cd4974c5b7c036765d455a43caf55702c69f3d956a606baaee8

            Download Submit

          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\932a9096cd16630970f2bdc5e6cb9aeb.exe
            Filesize

            5.9MB

            MD5

            6f78f89587300a0e88e09926fc3f14bf

            SHA1

            bbaec380475f42c51e562459f36e94cb7fad33f8

            SHA256

            79912ddfef7923991e737a7780d597431ff143e31538129b464d942882d2a295

            SHA512

            7ce86227e43b201e3953fbac1360025ce490db0aea3302b3325cbd5cb88eb30545574e856f54be53e4db323f30ac76e4871103aa18ea02df9ac5d74234220045

            Download Submit

          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
            Filesize

            5.9MB

            MD5

            f2f05a167c3336cf2115f78d542b4811

            SHA1

            1b05162275145c9ffcd8cfe4885228fa08c5d844

            SHA256

            ffbccd4be1ddb6f6c78a346132c691a604681c7d672dc082984e8adafd95570a

            SHA512

            586cd64a80acbf39bfe0696bd848e26b0d3079a96047c1db93d6bb7f0d90353a3e8c8dbb62b6eb7c8928f5f2edb75b76c127b61b901a644b60f0730fe56fc4cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\09b1ace2-83e0-4970-8b42-bb46ec11bd93.vbs
            Filesize

            709B

            MD5

            e1bb5417715d051455f9492c5641688d

            SHA1

            9b58fe8f2859b09cfe4fa97da671eb86520d8610

            SHA256

            fd2d89308bde1723869b4af6a870add5c8f632cf8cfe4c2aa84485f024611013

            SHA512

            31c32a4755df5de8e225e8781c9600aaf7d8aceb7f8575ee7917cf4f49f5e4deeeaa5e9621c98ed06ebaafe3c983442e04e1b3bab038a496e81e08681b6675d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\43e91807-cbfd-4b7d-8601-faeb2f12caea.vbs
            Filesize

            708B

            MD5

            09fc7e2abfac3f453e15337fa0d76d9d

            SHA1

            c8c8403c575d32708ac7c5f638912c244370db2e

            SHA256

            afa7e199a66c034b104592ea1636c00711c458892b137b7315531644154a56c5

            SHA512

            0f9a41e3fbbfcaea466db19532f3cdbfd0a00a0c737d4ed0329874b3e2df1349d4609d4ec595c4156f0d4b7e37e0e0d350d3e6a0b8a66e1990ff749c909a688b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dc39733d-a041-4fa1-a86a-61e1537220df.vbs
            Filesize

            485B

            MD5

            724da140bceb166739047d0bc4fa85c8

            SHA1

            763bef33542e445537f462f9395b319f4c694cda

            SHA256

            b8b18b7e78627fb3532cdddd049b2aee817170b77a8afa590bd8b151e08414ce

            SHA512

            7a06c0eae6ac8241349add78bacfcb6abfa1162ec0ab5ec4dd7f62e604eb5714d79eeaa7790dca9ca8bc9caf85692ac47a696aa1b876d0baed18bf04540c3be8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e894d5d9-e725-424d-a04f-f4221990c73f.vbs
            Filesize

            709B

            MD5

            fd9017fdfe9d41f421c89700a74192ea

            SHA1

            a794e576803a57299fdfe4e39ec91b7b949707ef

            SHA256

            7614aa8b6c519b768a907c50a5eb3a89cdc0494ede793a7fbbedbc257f951bdd

            SHA512

            1e2c93d7ff2fff784a7363255ba497a2ee20d7b398d00e3c9b04e485c3c018be1344be2264ad5cf120e6929ddc1206137017423e982aa15be407a3e0172d96a7

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            0aceeb49de8006f7848a172c0f84dac0

            SHA1

            b8fcb71853e16ab1a25080bf0297387cb1aae4eb

            SHA256

            9a7a34f677c6ab3c8109559b144c6956d7db1698e7386618cbed625d01f0421c

            SHA512

            70e8b48c7e1379bde58689821b4e0f7fc608ea83a2058d93c64582f48ead2638ad05eba5b2951b12092391c467460ab2195bf9d45f91640056853ab028b306ae

            Download Submit

          • C:\Users\Default\Downloads\OSPPSVC.exe
            Filesize

            5.9MB

            MD5

            932a9096cd16630970f2bdc5e6cb9aeb

            SHA1

            52d4a032ac5cbdbb8bed5b401283c1b49201ca92

            SHA256

            79edf19412f95a9de108ec3ccdbaa450eab559c421768ff53a184da9563fc190

            SHA512

            5fd9f0de72eb989d27c3a46a6ff1e79a61576bf24089437d73e0c2eead05f3a14a326966d9176a993f2b7289bbfe70206ea001742517e24e23e108577694aaeb

            Download Submit

          • C:\Users\Default\OSPPSVC.exe
            Filesize

            5.9MB

            MD5

            2c9ece563b0ae805be4fe0f55fe80c6c

            SHA1

            4856edf6d7bf14b226171c2625429dd99ae11998

            SHA256

            465cd037dc21843ac63eb514f3c31b20f8ad93e8d17d5d9e89ac7de5e54c94c5

            SHA512

            71bab20b03b34f5110baac914e7ba8eb1faf991908d34f6e5d068f0a11d2ca48836238b532756b711d033f450903ab326dcc919a0aefdb1585085a237209b04c

            Download Submit

          • memory/620-279-0x0000000001340000-0x0000000001C38000-memory.dmp

            Filesize

            9.0MB

            Download

          • memory/620-282-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/620-283-0x0000000000F30000-0x0000000000F86000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2028-247-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2028-237-0x000000001B6B0000-0x000000001B992000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2384-14-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-37-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-17-0x0000000000C40000-0x0000000000C96000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2384-18-0x0000000000D10000-0x0000000000D1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-19-0x0000000000D20000-0x0000000000D28000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-20-0x0000000000E30000-0x0000000000E3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-21-0x0000000000E40000-0x0000000000E48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-23-0x0000000000E50000-0x0000000000E62000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2384-24-0x0000000000E80000-0x0000000000E8C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-25-0x0000000000E90000-0x0000000000E9C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-26-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-27-0x0000000000F30000-0x0000000000F3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-28-0x0000000000F40000-0x0000000000F4C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-29-0x0000000000F70000-0x0000000000F78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-30-0x0000000000F50000-0x0000000000F5C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-31-0x0000000000F60000-0x0000000000F6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2384-32-0x0000000000F80000-0x0000000000F8E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2384-33-0x0000000000F90000-0x0000000000F98000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-34-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2384-35-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-36-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-16-0x0000000000C30000-0x0000000000C3A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2384-38-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2384-39-0x00000000011D0000-0x00000000011DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-15-0x0000000000C20000-0x0000000000C30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2384-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2384-13-0x0000000000C10000-0x0000000000C1C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2384-12-0x0000000000C00000-0x0000000000C12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2384-11-0x0000000000680000-0x0000000000688000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-180-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2384-10-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2384-9-0x0000000000670000-0x0000000000680000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2384-8-0x0000000000600000-0x0000000000608000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-249-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2384-280-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2384-7-0x0000000000650000-0x000000000066C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2384-6-0x00000000005F0000-0x00000000005F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2384-5-0x0000000000460000-0x000000000046E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2384-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2384-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2384-2-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2384-1-0x00000000011E0000-0x0000000001AD8000-memory.dmp

            Filesize

            9.0MB

            Download