Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
22/12/2024, 04:43
General
-
Target
JaffaCakes118_f5b85ba196252c34986b0c1382e730a700cabf8058a23c4342262ed7cc8811f9.exe
-
Size
1.3MB
-
MD5
9916f51d8446cab51c3c99a62f1cd228
-
SHA1
a92cc0b4440918805c8a0091b1082c09f64e0819
-
SHA256
f5b85ba196252c34986b0c1382e730a700cabf8058a23c4342262ed7cc8811f9
-
SHA512
a2418100f3a936a0599ed65d95315d540ab533488b07222c56181987f8b28aa599e97eaf28d58733f0fdfaa3010eec864fff218f8da9702acf94ab3b83512d01
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f5b85ba196252c34986b0c1382e730a700cabf8058a23c4342262ed7cc8811f9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f5b85ba196252c34986b0c1382e730a700cabf8058a23c4342262ed7cc8811f9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5bca21c57f1b204db834059809ac64dfe
SHA1220a1a504a79ebbbaf2bc2eec8a52b02ae3718ff
SHA256dcbbcad78a01453fdeca489b52e77065beeedb57319199aa9c7e3427d1e4e7a2
SHA512db1c18d7b28c99b28ab613e8417fa0658d4354b015e958ab4d4e450d8023766386aaf598dbb5114a78540f77c597911a6e31487afc889f5d0b641f3684912323
-
Filesize
342B
MD5b1be2e436238d4dce9f1c1f134ec42c8
SHA16854eb57f1e516fe5b42f8cc63d5b3741ad455d3
SHA2568b75f5358de20acc296cc412438ad68845129745de93747401c36c36109f9ec0
SHA5122a16d611c6fef755bffb47a6675565cf502e72ce6fc182a7244a3ae286ee1045c2903530291972ea9e2f5152b9c8e3171d21568e21568f5f6fdb014048d16942
-
Filesize
342B
MD5573aeed5665368af7babf39c4f054ff0
SHA185952911e4002e7e63b4779c8069662a05b054fb
SHA2565327af6e2c9bf5894b2fbfa048598c384b271028f6112a89f4599e1b49ab25e1
SHA5125486866b006ef8a1b6c758af221d832cfad30a7f96fdb1f1e4126ad0220246a878b9dc83ae093b595fc6445588fbcd69011c356970942c1d3a81c65dfe15d9a3
-
Filesize
342B
MD5c0717eeecfc973d25691affb7a6f8356
SHA1308a9438054551eb950c9cefdc9ad8af82359766
SHA2566c51b5f1046918623fbc331bf0e69d8a814f5dbada97e8a1aa62ccc587e37ea4
SHA512bdefc94892b7076efdf09c76872f81ba6f39ece9d925f35c538a451b8e36400b63686d956c1b015f0a1ab3c880da44d99cc3b402f065d18dbd86165340aa1c83
-
Filesize
342B
MD5936ba913aafd6baebf496ead890c1626
SHA16d7530c450dc5155a3b86535b4422170c7a01407
SHA2567c287396bf8e6fd267c8369e9bdef02b1c63c9bad0e7cc851dc2db4f2e03ce6f
SHA5128ac1f755c855d9efe189d36c4bdaa49276f5b5309b862fed42c8ac75183a84a43f25d5b31c17d8c5239d4ed42e3b33c8e22e68dfeb6e6d1406ceb01e6b8540e3
-
Filesize
342B
MD523efefed174620eee6ac2032caad0464
SHA110919c765d045d5cf09cef07f22d77dbbbc29ea6
SHA25649017dca9085cacedaf17a5a5b616553cead7b200269a0e3d7ad12d9a4c19f6d
SHA5120adb4fab42ffcfcf0dff2056654d26db88705b40f09b25349812db571af8482eeb3f989368cd034e417d55dbf65d41a6cabce6f52511527547b37f479c2d46ba
-
Filesize
342B
MD58423a45757fce19f5df4ee5291de68db
SHA14d9840dabb7c9627aff3e8277acd73e3750941aa
SHA2561a0e1dc982494f61992f177c5fce8dd05302ba07b0ea6d3ad2ee8d61403ba2eb
SHA5123130a1c204a6338c83f4b8f3bcebdc754917b964b653da5312074bf22d5f16e91210ec254c58fabd39782d2f48ba618cb1997bc1fa592986d8144332c821c60b
-
Filesize
342B
MD5cda870c3b2db686e0eba24633cda8bbf
SHA13b1a746188e3ae682be3e01872ee8c4b254476c2
SHA256fb32c72ee539cb1ccf196cd30fdf49eb5164ee43aeb8bf6c1ca9e9e589f0a302
SHA512828c4b7f5f35180ff861c746af7beaa7944662a71d38ecf42b10296826b3898ccbf920cbc0e1f209c80569946fa5198e62254e36dd243da01b69f602d786776a
-
Filesize
342B
MD523111bc254e47fb43030483cead7702e
SHA100bd631968f6f504f76f082e5ce423d20e10a7d0
SHA2568701c1b85cac364474c3995fa39dc37c96300bcdeb8fc667e70adc56bdd9333a
SHA512029e288339000133028c285a16c6f46b77d0473cff157ca280a26209051de51293d16c25062ba8fc766a4976771a4456f3b96dc9986de54cfcb35a57ccce8d88
-
Filesize
230B
MD5ff00e3064c61e0e3a7989ac3f42bd6f9
SHA188ddfdbc60efc9c565296b067c00c6bbc7dc4052
SHA256fe70780ffbfa9c6174852f43654938e360d6b1000b57faacf787d3981fdf9858
SHA5122e61ba55c76fcfaa711600715e00c292db5e61708e75ff362480cd42a85252b230eaa585abe058767dc192600e1546e36794648f4649dba9980c7852ac75785c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
230B
MD50e923c8f11e4aed81173c11150ee7ebf
SHA10ec7369515ec71e87fa302466a07c542f5eced69
SHA256c75b87ecb0245a2111aac926dd512233fd6c9394309ef39d04eaf497d5f1e6a2
SHA512614a58a3bd0c2e776d74b1c3d6bfe7c584a4a625df479764f38559b3092d9133090068bec2cf20bbc9f5f76bc9013042a40946b74cde634cd1edf85bcb04df33
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
230B
MD566d5be29b11ba036deb26f9513843d66
SHA11f94c8f796b5f73a5a395a8a09d811b177ae33dd
SHA25631306e1cbbd291396f53d897847f7b448cea484bf8f20ff00631a1be992950f9
SHA512298ec358da5c5af3f20681c0af7e8850e92bba61c0b32e8d7c02ac87ed6568e964ecbc67cedc8f7450ec9e5ba5528b1dc550adb2b58067666c7233baebee29fd
-
Filesize
230B
MD5507b2a17375ca5cc16230d8ad6c8fa9d
SHA162074258e274f5490b35e77529453ad850049f49
SHA256ef818f57c22fd749c86df0d0812efccdd2720dc3424099ff80c305ac123513db
SHA512dddae047a867d86d64bcfee1e635f810dd94e9cceb64ca084560c711ec8d738e44c017242f4ccbc1689b8ea84d721d7ef11dc6059e291cdf70c9d6074a26faff
-
Filesize
230B
MD52468488fe440a6d5ffe2a45181e40e9c
SHA10fa20e65776c0293e23263912160085c10ba9f05
SHA256cd7ad1226379abc2acf8a879df89c86d3146bbb31d34a43a60805132fe3e014a
SHA512661f773cd0bf575b6fcc53496337fb76bed3e9816d71356f0899c5c5fbf51d3e0f8fd54fca91ec90291f0b770004d0f187de51e9f4be63185233c9972c3160db
-
Filesize
230B
MD54722e2bd87afc71fea087a1f03ac5d33
SHA1e81631f14523c30f5b4d92306dad4504dabe0979
SHA2568bbdda2854d03290eeee927632f26641e727e630638ae6fd2af244748ee3cb73
SHA51269e8792ab1ee7035a376b5ec72cfde90ca4f5d999f21c182a906ba99033068f7bea33f70704c2cc547f7f99b344ffb8fea77241f524579a29124a4378beb5c9b
-
Filesize
230B
MD5ca11192e814ad7f3450cd4a4c5585d81
SHA1a699258de1435936b914d2da74ca7ff315e33cf2
SHA2566efe8630ac4a4910eec8a57d464b9ed6309c96cb4cda6bea13e21571009407fe
SHA512c3087b9b848a81d711a76a0e86d538bbdf49460837b8922e169d268d818a32ef6029bf7c3f03c9de3fee138de578d292fdb8e67907d48a510c9727927c483bc1
-
Filesize
230B
MD50a1dde14aa4041fe63df35b1a65d772e
SHA106ffc097ccac91f1a6f1d922030ca141692e73b7
SHA2563500ced4c72987515db50eefe4ad8e21f6fa0afc4b23b67f494468dd4c57c6b7
SHA51209ae3da9b2266abcae6a4241e4728cd1f48c6d25d37c1acd0ec44387f96ee5eb24ba2a70ed0e25e6470a6d17dc71602cd06492415e38bbfcabbe1fa1cf29b135
-
Filesize
230B
MD507633d21044ebdb188ea285d99d12aef
SHA1111d42875d6c4b85c6eb1f05a4c9137725ddaa98
SHA2561491cdec60a39c9165b6a588ec555260e687a906229605e47e069da9eb083e7e
SHA512f145e45ae1a25a0953f39ccd09f3deb29e6d7c32c251487becb8617e3af47058242f824ae2773938cf1ef55cd3cc31f5cc137a0619437b2a3362052c9405ffad
-
Filesize
230B
MD5e12cba4760d8717e8f96ba3bb82de6bc
SHA105b8cc852672837f3376d5817b3f4da1d8d5ffe8
SHA2561674baebc2b1082b8c996e72e495ad359492e421fbe927ee41dab0b35839468c
SHA51215863979f048cbff38be3d12a830711c8db80739f34229503736317e76728af2b1d8374e2994cf56eeb5088551a09732e2f302dce835babcf94e48fbda47357a
-
Filesize
7KB
MD584256acabf666cae1d1269d755b59b49
SHA1f7c9d0b32e7726fcac53a663cec25628f1227111
SHA256fe2257f957262ab499f5c2f2674c66f409b8a73a35db9ad73c485d8ee9378139
SHA51244180dcea76ac0fd02858d9e1611056e29496095044c928ab6a09377acf7e66643f4d956d4f3001c8bcc2967455539be85916d5057a720ba89f61810bf21edfc
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB