Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22/12/2024, 02:40
General
-
Target
JaffaCakes118_4c3d76d6aa809cb091bb86d11b906b48922b3b6a8ff36198cf9ae3b1b44567f2.exe
-
Size
1.3MB
-
MD5
108bdb83f5f63d48a31e16595928911f
-
SHA1
785351352dcc0c8d961f7954c187d9a8d486a8ae
-
SHA256
4c3d76d6aa809cb091bb86d11b906b48922b3b6a8ff36198cf9ae3b1b44567f2
-
SHA512
27a05c8dfcb04a6a0d0f310bc5c7131a778edfaefacda0db21cf73d09317ee87a78ed7415f426dc4f586cf0e50686b3cf07420f1b22618258390aa9f730cde15
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c3d76d6aa809cb091bb86d11b906b48922b3b6a8ff36198cf9ae3b1b44567f2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c3d76d6aa809cb091bb86d11b906b48922b3b6a8ff36198cf9ae3b1b44567f2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD549c36152807623b272562ed866a746f9
SHA1af7b7c5d85f7c0b3339da88f555744339f07c48d
SHA256d2205e0112244a4b1489e7c0b4f1ced8285bbdc894bc3ba49ba0d5489d6cd4d7
SHA512ba38fcb944552ed02b4a33d90f67fe0e2ed917daea7d3c92b6880f50c733deb7598755b66f6f61864d2271c0bbd7c0309223fd2b125375f0c9735833e794414c
-
Filesize
342B
MD5532ce2f623341e4472919e87fab8c473
SHA1cf6a3ca9b03028305d734e0709829b06c7f57245
SHA2569bb3cee7d957216b416af69b1faf4e069d8795b9436a9896d5aaab645c48226b
SHA51213852130f07f8ce4fc0ae5bee28601edb594cd9e35199d1e2b20eea6f8f9669c713a7840eea4f9c1a30d9b7a5514c4ba53b62a20e52ff0da39d37c7941b166c6
-
Filesize
342B
MD5d7cc8d386bdadc7def9071efec13aa85
SHA13c57daa4c198c1ce098b87b29c06bf24804ea6b3
SHA25634164225ce2c25bcbc23bcc82867794339d516214b9bc1b92bec2c1c71a652a9
SHA512f70b7ea912fe1b7c2d5e5b6b525e9126259ba877f63751cfb69ad5a46908fe88dea2a6f6ae19b8e30fb5b7a1db9101c016936bd0ab80e167cd477963e99bf2ff
-
Filesize
342B
MD5e633b0523fae14713be507f2d23a3621
SHA1727dfc32645325a421183386b3c4793ac97b6748
SHA25674a7cd2c7a76a730302f9410c04948ba4a6d0fac2421cd159a6da28e17394287
SHA512d0be7aa9df0f3c77ea710cf176f52d11a0daad8362347927178a4d05b3a94df0e9f90df01a5e4f0a59f7b640bf33a70e8e1c7341cdd172f2487e5fd55d7817e7
-
Filesize
342B
MD5393b9c75a0c93ba0d4504909c3ad9727
SHA176a6777bc79af49ca88a7c3d0897a8c9a2503b32
SHA256c1ec98be0b8dd810ab604fa209022eb67248e9d64afaa3626edaae27d01f7429
SHA5123f085b020853052ff4c19edf8f5a19167d9694b5beac6cb2dfc6b4ea2c0636133f5c37270afd0cef9e5489df993295c551d647ad7f9818584c37a5b06afe10ab
-
Filesize
342B
MD50d056ab41183e6d99ffa1fab3d0b1ac6
SHA16de3c06504365c90bdfd14c57fe1b74467fcc666
SHA256387204d2a64d3e03fb1d0a2afb01152e88ca4f1624cec7193aa4d2baa1339489
SHA51231df078685e9e1d4bac2354bd4943c10addc958b73c1cac6e3847897e58bf8ddd6b57bd6f3c4cc7748e42d499502f5e251a343c6e07053124737fa7051b88b96
-
Filesize
342B
MD5e317417185a600323abc5b53864cee4d
SHA1c56ed84dde1264a3ff73cfb4e8c2e8cbc97a5a4c
SHA256d840f4dd7203c51c10441e33f343da18bdf1cdc636402fb14a83325245d8485e
SHA512513bff74cd94ee53755fec3ac9460a6d0af3de77482f9c1f4ff777f3cc743fb41987763b02211e3516acfbbc23ffe8a0d4929779482f76ff2f3cb9a4be7b4834
-
Filesize
342B
MD5f108e3ea8db38ab1eeb2b0e3616dcffd
SHA162eb88ea13f9d601f9e246e7e22eae1f819b0648
SHA256672c2667fff2f3d4ddd99460a8663e3244837e16fa714dfebb266181b919b96c
SHA512848b3bc2208504a0ea0493b36f99f494030e10fb7f7e34e862bf84d855b2caac91f1b116af85d129816fe8096147f9a5e6fefc7c5b44df2c3b8d6f8429cde522
-
Filesize
225B
MD59cc9edf2797605e9c8730e22c5dc6d54
SHA1d25792450f8d314594276092bc04718e47687cdf
SHA25648179689517108bb6397f2d62239aa8ca4c534e8efa1aa264d2237ba21ab0831
SHA51228197c5ead3635cf6fdd8772a42396873a43e5f90d3035ad45f049aa78cc66500a74f78a208b814f5b794e3914b994981a4b33e9b711f656ee442318c81b4fbd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD523072b554fe283a5f2e9150f3a14839c
SHA1511b71cd8c231d55c8d3706970841a096c5dea10
SHA256dd6b4bee0f9e630a27e6fa65cc727d5bc6ef7f0e7bff1187ec907a453b7b5728
SHA512a26b2ffddf1c7dd41796c89b5bcbf0a4ad3a87879f17de223beeed2c83968ae70040b5582cd10659496957222046040dbb649c8da7aee6289ec95c850f6868df
-
Filesize
225B
MD5aeecc52ec23c3a6ecf421f54f369cf78
SHA1eadb92798736925cd62b436c283a407dd8d35088
SHA2567d6fca930fb646037d3dbb66e924d8b8c7b62f8eaf9a09ecf03b11d3f5d4befe
SHA5126719b77d3e50ea1d9b3440db693cd7a7b6cdcf35af16752644e979b1c785ab2042fe1e7272de0607a4ab4bc8454b718d84f405f90c6d862b9daf558c06016d60
-
Filesize
225B
MD57e0cd9df46b00f4a68d6c357eb754025
SHA1a44c4646827fb3515b7637218aef9301199d4167
SHA2562ccf707f58471457dd312f1193eb0265a439594dce3c4e778e9c2607048f98ec
SHA512a9d663c6279bc5a5b7827d0fd0380f11f9c53d275229319e024a7c5d8b81a208cfdb32f77aa7ea6e0547779e8f39d7a66315db79e4cdda33297f754fc93c1713
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5f4a5607bb8a3555d115adf5bdef2368c
SHA11a923115a8abdf264d0eabe6eeb8a411b83fc62a
SHA25620f95bfb7ad8058008fec8ca6089188c09e9565aec0a0dc6a9202664b1660d53
SHA512adacd7cfe3e3c64faa3d7e7fe2e321f558b27953640f7822308862780dff3968aff1cdf3c5df87436ffca2de0a84eddb86c1383ab0675492b1f82c21e3ffdba9
-
Filesize
225B
MD59cbeef43898dfd3fb9e20c817af7e199
SHA1f31fdce9bceb01adaa759b55aa639fc0f1c26095
SHA25622dd973383be7668a067cbeda3070513363b1e0916331b674f25bcd08aa83ad1
SHA512827bc0d554bc873b326e3247d7e2c3a5e9fbcbedd0b03c423311e0fef933cd4a8c65f9ae2fecbbf6e06d36626c3d8f5e18fa3178113f9f205f262379146848d8
-
Filesize
225B
MD5d0e3ba7519336815aacc21452ba5a88a
SHA136253dab4fbd17425418c0e4d4fb4b2111dd1fa5
SHA2568ba49d462dddd09ce618e80f9eb6c26eb34bef81468b735adbc4ba9f0297993a
SHA512c799b0c53a62edc2a9df5ad23a3a5fb1f75d5f1c47a6d1530b44fa61a80e8917d14e7843cfe3b1db09e982874b7c7b5b33a3fde459cbc11e213d94c07f56e3bb
-
Filesize
225B
MD5e08479c1c226cf8a917f413d7df2fcb6
SHA153a16f37ff31e4e1141d6b901c78d6c3ed833111
SHA256c1aef163ef856bd2e2f002089bdff95d31b6c9bab71a95a3592e2e1e01901b5b
SHA512689c5be72deb09570dcaaed3336452436a1d52af3c17a232e80145a3087bff47d498915acc5120d66f5609f52357b77dd4a3121618e19d8e8bd280e028527cbe
-
Filesize
225B
MD5c67e92b45126c65c704e9ef9393aa2a0
SHA1ab4c571381cf01d508a7fbbefd0f63d743ca4c99
SHA2568c711e9da3fcade6f42c09a21e38b79df885bdae939786f4dd04e552b857fefb
SHA5128587f37dc967ce66c9238755fbb257a0cdc46c5da8438049d9dbcc00d46349b48f85810174e68ba3ae1825f46b363601b032a8c066c5a7c129d0b727454237d7
-
Filesize
7KB
MD519de59ccfca80b0bc7671360681345f0
SHA1032bea253898dbb0722521c84dab232f672de488
SHA25654bc9cc2be59ce0e892eabd1dcb3b1355163dedcb1754af8617a2b8bd3a99ef4
SHA51272e5979005c598be05147e8bb0bab0a782734e32ca847ec7fcc74e6afb2030eea711568fef14f7e46fb08fa89e94bc432af1158def5a633fce10c7bf82af8758
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB