Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 10:43
Behavioral task
behavioral1
Sample
JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe
-
Size
1.3MB
-
MD5
5c894a9f9ca533a57b7156f6eaa5828f
-
SHA1
c9ce6ea6ff8a9ce662619369da68ff9c824afbb2
-
SHA256
8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85
-
SHA512
c0c39a8d5872528129e687f22f113770f46c986ab058340fc8b926627c237c31abea6e75939d6ecffa57c156757bb5ab4f4eb40f9adb7e361b2930a8cf814f59
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2404 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000015f96-11.dat dcrat behavioral1/memory/2760-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp dcrat behavioral1/memory/2128-52-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/1212-289-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2892 powershell.exe 2944 powershell.exe 2912 powershell.exe 588 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2760 DllCommonsvc.exe 2128 taskhost.exe 1288 taskhost.exe 3012 taskhost.exe 2140 taskhost.exe 1212 taskhost.exe 2556 taskhost.exe 2444 taskhost.exe 2812 taskhost.exe 2616 taskhost.exe 2916 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 cmd.exe 2820 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 30 raw.githubusercontent.com 33 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 27 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1004 schtasks.exe 3008 schtasks.exe 2044 schtasks.exe 2640 schtasks.exe 2896 schtasks.exe 2100 schtasks.exe 2260 schtasks.exe 2412 schtasks.exe 2088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2892 powershell.exe 2944 powershell.exe 2912 powershell.exe 588 powershell.exe 2128 taskhost.exe 1288 taskhost.exe 3012 taskhost.exe 2140 taskhost.exe 1212 taskhost.exe 2556 taskhost.exe 2444 taskhost.exe 2812 taskhost.exe 2616 taskhost.exe 2916 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 2128 taskhost.exe Token: SeDebugPrivilege 1288 taskhost.exe Token: SeDebugPrivilege 3012 taskhost.exe Token: SeDebugPrivilege 2140 taskhost.exe Token: SeDebugPrivilege 1212 taskhost.exe Token: SeDebugPrivilege 2556 taskhost.exe Token: SeDebugPrivilege 2444 taskhost.exe Token: SeDebugPrivilege 2812 taskhost.exe Token: SeDebugPrivilege 2616 taskhost.exe Token: SeDebugPrivilege 2916 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2316 2796 JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe 31 PID 2796 wrote to memory of 2316 2796 JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe 31 PID 2796 wrote to memory of 2316 2796 JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe 31 PID 2796 wrote to memory of 2316 2796 JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe 31 PID 2316 wrote to memory of 2820 2316 WScript.exe 32 PID 2316 wrote to memory of 2820 2316 WScript.exe 32 PID 2316 wrote to memory of 2820 2316 WScript.exe 32 PID 2316 wrote to memory of 2820 2316 WScript.exe 32 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2760 wrote to memory of 2892 2760 DllCommonsvc.exe 45 PID 2760 wrote to memory of 2892 2760 DllCommonsvc.exe 45 PID 2760 wrote to memory of 2892 2760 DllCommonsvc.exe 45 PID 2760 wrote to memory of 2944 2760 DllCommonsvc.exe 46 PID 2760 wrote to memory of 2944 2760 DllCommonsvc.exe 46 PID 2760 wrote to memory of 2944 2760 DllCommonsvc.exe 46 PID 2760 wrote to memory of 2912 2760 DllCommonsvc.exe 47 PID 2760 wrote to memory of 2912 2760 DllCommonsvc.exe 47 PID 2760 wrote to memory of 2912 2760 DllCommonsvc.exe 47 PID 2760 wrote to memory of 588 2760 DllCommonsvc.exe 48 PID 2760 wrote to memory of 588 2760 DllCommonsvc.exe 48 PID 2760 wrote to memory of 588 2760 DllCommonsvc.exe 48 PID 2760 wrote to memory of 2984 2760 DllCommonsvc.exe 53 PID 2760 wrote to memory of 2984 2760 DllCommonsvc.exe 53 PID 2760 wrote to memory of 2984 2760 DllCommonsvc.exe 53 PID 2984 wrote to memory of 2204 2984 cmd.exe 55 PID 2984 wrote to memory of 2204 2984 cmd.exe 55 PID 2984 wrote to memory of 2204 2984 cmd.exe 55 PID 2984 wrote to memory of 2128 2984 cmd.exe 56 PID 2984 wrote to memory of 2128 2984 cmd.exe 56 PID 2984 wrote to memory of 2128 2984 cmd.exe 56 PID 2128 wrote to memory of 2092 2128 taskhost.exe 57 PID 2128 wrote to memory of 2092 2128 taskhost.exe 57 PID 2128 wrote to memory of 2092 2128 taskhost.exe 57 PID 2092 wrote to memory of 2180 2092 cmd.exe 59 PID 2092 wrote to memory of 2180 2092 cmd.exe 59 PID 2092 wrote to memory of 2180 2092 cmd.exe 59 PID 2092 wrote to memory of 1288 2092 cmd.exe 60 PID 2092 wrote to memory of 1288 2092 cmd.exe 60 PID 2092 wrote to memory of 1288 2092 cmd.exe 60 PID 1288 wrote to memory of 1004 1288 taskhost.exe 61 PID 1288 wrote to memory of 1004 1288 taskhost.exe 61 PID 1288 wrote to memory of 1004 1288 taskhost.exe 61 PID 1004 wrote to memory of 2556 1004 cmd.exe 63 PID 1004 wrote to memory of 2556 1004 cmd.exe 63 PID 1004 wrote to memory of 2556 1004 cmd.exe 63 PID 1004 wrote to memory of 3012 1004 cmd.exe 64 PID 1004 wrote to memory of 3012 1004 cmd.exe 64 PID 1004 wrote to memory of 3012 1004 cmd.exe 64 PID 3012 wrote to memory of 2900 3012 taskhost.exe 65 PID 3012 wrote to memory of 2900 3012 taskhost.exe 65 PID 3012 wrote to memory of 2900 3012 taskhost.exe 65 PID 2900 wrote to memory of 1804 2900 cmd.exe 67 PID 2900 wrote to memory of 1804 2900 cmd.exe 67 PID 2900 wrote to memory of 1804 2900 cmd.exe 67 PID 2900 wrote to memory of 2140 2900 cmd.exe 68 PID 2900 wrote to memory of 2140 2900 cmd.exe 68 PID 2900 wrote to memory of 2140 2900 cmd.exe 68 PID 2140 wrote to memory of 712 2140 taskhost.exe 69 PID 2140 wrote to memory of 712 2140 taskhost.exe 69 PID 2140 wrote to memory of 712 2140 taskhost.exe 69 PID 712 wrote to memory of 2056 712 cmd.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0523c38058dd704d09fcc4f017c5e46459824eb82217fa00acd01390277c85.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hV3istLvrT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2204
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2180
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2556
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1804
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2056
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"15⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2124
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"17⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1036
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"19⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2892
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"21⤵PID:1724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2856
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"23⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2380
-
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7f43dfa7a4b41d5ba3ece19cd72527d
SHA1c63e862be967349c39ab96561223d604ce5c184b
SHA256da73638453db96c4c620c775a7bddab3446d6d0661ac71c73671205cc3791674
SHA512bcbadda167c0b9c2c5e2281fdf6673c851492647c0ffb3fe10025a35a48c204c7852d1cfc6fe68c0deb57b7cb7738ab3df75e0e771661b7bd1e362bc6265eccc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54339ad1ae1221ffcd347ddec48e9974e
SHA129d2fec5c2985ed4c3b4fe4705842dfe3bd08218
SHA2569307ef1860eca77a5c257fab01f8c92f92a5ee7827c95cbc2fbde6a654c52e26
SHA512acb09ec69d5c758ab4118658258f426d4f310c1e4d2a1e1a0ad6796201b4fe3dba943d705aa1f72e6c5f557c3df145f049c8462f0275cb48037a53fd77a32f89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5623a26fb7eb538cfe6beab53b9d4a5e8
SHA128d4545eded51685a517e4cca4b7201b27007e76
SHA2561bb75d1dbbaf60bde8ca7fc11086e15de3fea19c586c15f5585c649d6a0a5362
SHA512953d0624b037fae42a9c4885bfc34d0d4e75f74619c5cfd284e7814f46ac2d2afaf1baad3cf7c675e8b329e9a9e56df2045c82ded4ed926e6df95ff86513d5ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5078b1e79afe583b001b508ccbe059882
SHA1be572705d1e9ad2937ebe0600e761b34b444cb63
SHA256e35eb6f66db5b0e002c06fd206626e325067d571c2e9b2ffe8511af9f461a953
SHA512ddbb05a92a88827184b41365a37a8c998776f267c03b3d41dec8cd05567d86a444a513cb49bbe42ea6682da7f7ad634bb0883fa3436475a64609aa8210bd7af3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c36ab88c4725dda419d4029cee62c6e
SHA121fc019f494b837f51803d46fd0fb34e7ae1d73b
SHA256f9a94e304009d69201bc6b9c88ff7aef27d5098e1ef4324e1224d94d09ef7b07
SHA5128efb38c0ec510900cf6a491aa6b1fea216297f7d481095db4a058054e699b19438f6bef27887108510c8f25b9bf6c5614144d53ab67b9cecc9643e662b4340c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558735c508c9dd717afec138a9269b184
SHA1e9a0f5db15abd793ddc0af9f604a9d42eb70042f
SHA2569a70cc25f00db0348e6242b2947336f40e266140bf0c65d5ca9eaf5bb88865aa
SHA512c191ba2ae3a8f3dc11d68d71d55bca556118af9acb3685988488c0d89385e6ed451a45821745270ee284e999cad6a38b28183e5173f74e5caa3ae8bc434a5818
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e552f17ccfdf0bc9444002a2087e5533
SHA16b01407cab86f340171c767fca2d06ac4bc7cfb0
SHA25688a0c10ba8184498016a91d642b6e4fadfabb0799b10eccf7ed95430e15c299f
SHA512a66aadbc7b3ee744d5cb327646222de5682d9fa74aa1e2821ea7cedc619218c5522405e0dd804e6761a4079f25796822218114135903987504f5d0d5395be084
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff035b7cf2d7b473c1c2d294e42edd8b
SHA1b2b412b3f12e133491382bcb5cd7d15308089254
SHA256d8abe84bcba03a8f8115f9e930c4b54bfd6d60a7cdca5254b26d97ef6d294e04
SHA512560c45d6faeb519fd757915b498a0ad388cb127d7d18206058d57efeb7d3fbccec0e0e2cee35e5e00ded0a0f2e149fa3eacda985b58d7df97778e30a4f8345f5
-
Filesize
245B
MD5c66f695b21c5430772233ebaef2d3756
SHA1ff8010183f4f1872f356904a197d911ac0c7dc0f
SHA2565c0006639bb0666b78d00218b3e435989cb43679b892bb5e9140b94450466b0e
SHA512c660f331c005e21b53911d94715e09f6a450f59fe0041c908023b6ca9c316e3f348f14d954280589b2e4e788d89207bfefe2ea2dfeb5a1fa4d889c790bfb3451
-
Filesize
245B
MD52732a5c650f03f6f25c2fb51f43fb72a
SHA11010fc9b277c5c26a0764db7b4e930ecee9b2b29
SHA2566a9eef51a7fa109aa62b4ee676745c0c26cd42a6f2e1e1934cac1c4d446cf542
SHA51287da56af40d72523d226eedc8171d3901088dc754cf4054a598b3f92458627cde796400d423cf00ae0e07babd6b40b64966ffbaf8f0dc6c9e8bba0650135799e
-
Filesize
245B
MD58b3f3c5130165ebedb636e8b9e30ff6c
SHA1530d54da877c7d980e02e966c4d09312aa5d970b
SHA256743f4f42e8b234616abca0541ab5e75bf6ff2f9c5b6b11ed9b1b19f02d942f3d
SHA51241131b71d2f5b16c41677660fac9ad5581a144d09fde46c652df7c5e12771dcdf75375eae6fefc382fab7fe0e7669be3706bc0ec1871ac60433e4510ff91b7c8
-
Filesize
245B
MD5e2fd2273db7c5cc44c1e2aed536984a3
SHA13549900e50d8539b7e20828657d54f5b88fdae01
SHA256e1b62c77d4623a22c757bc24941bffaff640639ff07ab5051f20fe404738c0ff
SHA5121322277314fd5fff829fa3d3447d15017f4d9e0cff7f8ed3994b5bc631480eaca85717ff0d33a64221731011553a7a254c01cce8fe034611a36369c37556394b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
245B
MD56774732a9850ada1d6a506d37ea9debc
SHA12867af48f03c795dd0325f337847c84029f968e3
SHA25634650f3244934f2ae9826b6e167f6b3bf11c209fa21469c6770827e812ad2524
SHA5126bb88a0d98fbb4d2bbd4d55776d191975fda039b65dac00387458ac90ab3b1c814a81c65ab4c2c49ff421e1bdab3f078cc685b5520b02de05d308df8d81e5797
-
Filesize
245B
MD5db06b3847b3c13d81797a8413da86f73
SHA1d34f807ad95c3a29700e03b7574f26ef4868f472
SHA256de7d643854e1603f1982451f8e0859dbe2721db0fa6d8857586773aa257291a9
SHA5129eab70b0585daa8b6f650793dd6865c43bfc0702d7f3e90a96bff60ea3f9ad1542351d47d087a748298883d61ca12e401c27eeeb60bd87b6a17681adbe326a02
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
245B
MD5ae86185f735639bbe551de96e2741b0b
SHA174c6895a4d0591f956a96d8b409e950793d37842
SHA2565834e41e473ec118f1d6c244ff463da80871a349d32452084b4b76886ded3a81
SHA512ad9cc4957374a8e7977bd43c6e7e236364cb4c26b6fe7684393681a1d504113a447e06e55ed0b41603bc3de60445bb6eac2151b7fc8f143f12a56119beb9efb7
-
Filesize
245B
MD5bafeee015e95e7c94d3784b506735b4f
SHA100c5513f87e11a67f7f44a9f22e0f189b5bd83df
SHA256d6c9c37dc51a76086ea98d9d2396e2d943034948245ef5d8f7171af216d425f8
SHA51220059295e40f0009fec66643a2bedc8824fae026ae90ca464b95277ce92a47ffe0c5c8981094f784ac43fad37f9290763860b35862d056261e6e7f17d1f6dca8
-
Filesize
245B
MD5fa808d1e4feb868df40cd3995f520c88
SHA141e435d625f3656b3003fbbb78b96793035a58d2
SHA256dbdf535fde3826f06965d0c0f4ea95c3acc11ce44675ccda5f6b6300175ca8e7
SHA512280f36ba7ab7714e08f945b2236e1300755a2df453928df44a20780426c112f1521f608ce6164bca907744270f27cac76d6347e4584cd5b608357e9732854a20
-
Filesize
245B
MD5dd1498d5387e640a6d7679b3f2c10a79
SHA151ef34bd57194767212a87160517cd6d60fb13df
SHA256faaf718dfb890dd06b5c783c127967bd63939b15ca62948ed40d2341f92353be
SHA512554d38043467924ca642a80c5163edbbd0612ba554664090ecd1c7b1f1724119b7a4792be14e8715220cd0c5100805b51459b0d92eeffbba2b478b0e0ded710a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55ff118f8ba7d85116efd5b8fa2114ab4
SHA1b5c4fc81cb571fe4c3964b09873a41697d8ecac2
SHA256d21eed676761d88672d8b7cc88dd02c645281da9894908d3f09c238598a905dd
SHA51238dac533e21e65e83071b3c5f10499daaf41eca6ab4855a47887a74605e39b35e849ba98a0960fe568168e1af9b9f0198537abcb7580c78a33da6b8ba802d293
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394