Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/12/2024, 12:50
General
-
Target
JaffaCakes118_11931e904ddb30950482b46ef54e73bf048723912c9dc29996a16e6e9c388480.exe
-
Size
1.3MB
-
MD5
f2803766a2f7cea3e91c2840ac2f85a6
-
SHA1
546004d9f413ae33db3b6d74eceea26e6453b596
-
SHA256
11931e904ddb30950482b46ef54e73bf048723912c9dc29996a16e6e9c388480
-
SHA512
c6116141dcc7ebb3efcffda6f128e9a5b0c586f26ce6bb86e738eb2d89a781bac053e4f77b7314236e59df4ecf6f4b561be131b025db9fedbf89ec0f1672f491
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11931e904ddb30950482b46ef54e73bf048723912c9dc29996a16e6e9c388480.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11931e904ddb30950482b46ef54e73bf048723912c9dc29996a16e6e9c388480.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5e4090f11d683def34e4903549107bc62
SHA12d8ae392dae0fe45e64da0b6bd6c45047d833ab9
SHA256c2c5d80aeb19f3bae9e2f4888c1d4f650aac5ee06f31e2df181850f7c9398aa5
SHA5125d7723cec8774d06c811b8d75a9be88a8965a6f7f3a44aea0a80199014d4aff3281aab22c00f10756f827df719a51779b34056dfa15214f827b3704fd79b35a5
-
Filesize
342B
MD50064915aeffcd748fad3c78f0e1de20f
SHA180043483268f9c64b320a8acb8102fed370b210f
SHA2561a8c0044d1d84ca846a372276481c17af1f2c5c4569ae083cc9579370f186ff4
SHA5125ee12cab3a874a825817fa7408f5c2112fa231f162d35102726d234f74bb5788374bafc20ed856680bbf96b89bc32f73378be818444aa5e61d4112ae1b8eada4
-
Filesize
342B
MD5043b358a97d41e19d9f09af5878ce111
SHA1c0110d9c737188a1545e66d491a0f6510b2d8675
SHA256fce673061b0c74b5a8b0e4b6189bdbec260e86871fff03f11e8ff6d84a42619d
SHA512be5b70f0ef6f5a9cfb4d7ae656e81f9d278831a23faf71b148b0db1775a97cc131394035549cb08daded2f2f7c42a0076b602709d1f4756ebcc78f41996860e7
-
Filesize
342B
MD5cc08b951b818c6f9bb18ef7fde523e50
SHA1c3b835da4c86d60aa5d2c13b6a12a8423b37a9a8
SHA256bd8ce838ca3cbf50b8518c2e05e3630b37d537f484ba3e26f4074268dee9e982
SHA51216df44a9ae44d52fe3fd4d1571a979167cac6aaad12a0911519d1a1698affd1dc2ca36d5c910d47cfb5ef1806d0feff423234018ec705c73484edbe2ed62f7e8
-
Filesize
342B
MD58a7ed8cc962d902f2150a71dbf0b3491
SHA187a70ce98058452c69738de4bd5db470d6816add
SHA2563a26c1a90484708e22ba7ef3fa279fb46aad3b0f53958e5a8228fcb7fca9f264
SHA512d5a4f7c84d057a5327304d94c6d7b4a534fcfa29ba297f24f7e883443caf8dd8372124cf87482ecaacaf05d32d158889e84fd49003778921cf4d278f32e4a9d0
-
Filesize
342B
MD5297bbdd85fa7a4ae53bbad1fd85837c2
SHA1b47f04a66ca278186e3ab2929888ac7eff58de37
SHA256dbc9748d3127a5ced92ca61ed8f31ce40563931abb054a3b2d4df07c31112754
SHA5127bf2f9e024c34f1e507c05a57975403b2e110027dec8ffba2435a213e216feb3be609794d43cf8a17bcfe15451fa443dcc1763f6c689d50c9fe71eb47869e70a
-
Filesize
342B
MD5cba6e95807e28bc8defda5a2d47d62f6
SHA1305063a44f2bd1d11b63a524dc9fba7ad52b6957
SHA25639ac0b0408713c531a95edd17de06b4287c79861398ae82d4ae08dec5a40d009
SHA5124b3a433bbf14bae33bce9930654f23d9c578205a98d5fa8817439a1c7022c9953f753dc37edcf9d50c66230744ddab184d2f2df08e25b2c5c3cc8f86cdc29aed
-
Filesize
342B
MD5bf534c510f956468fb7e0d7b0b836b6f
SHA125463a59d94e1b4d4436e38e1b78b669fb3a1e34
SHA256723aaab1a65b0d5be485dcb6ade3031d55d06cb7ea4a2b311fb672d1793ad214
SHA512ea7dea9f6be9b727507d3a19c1b3c98dcbf34cd2ffe389c4f141a098631fab4817820b96eaf9397c0d5e8cd94ef71019596d3bc706d5099ee5bd5e5fc2ee6c84
-
Filesize
342B
MD52ca426afec7562e0c9d52347e03be346
SHA1e36bdf81354235ff88373b143d93189e7e340e83
SHA256396bba821c64f01fccdc609a04c5a8c6b1ccdb601a18f4a107939682a997f580
SHA5126a91ae804dc38d6580f8bebc5aeceeffd32093b3016c08e0615901a97656d7783ce55c2c69e4659219d05d1564ab33c9deb2a3315f9053f968d69bfebc501066
-
Filesize
221B
MD56979bd9ed25b0c94b4f2c31e0f9d497f
SHA1d2e9fb4adcc880f95b4e94e9d7d02428f5307632
SHA2562fc46fbf651948605e2076fdbe999a71ef56354c8f48cd12916f6259ebc24102
SHA5122a23bca4993974d689f8b8db03cadd0ab0c29e6b9bc9bcf095ffe991bc78fe28cde1f0733c20e044b900689d92d96c96080caaedf583cbe62c1bf73b95a12aa2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD567a5e9ef6e40e08f909deda48dc299b7
SHA10a5ec871c11195412f519c50e0ae70fb66e43807
SHA256844d23b62e59243f7c588df22b86375402a3786d0ad591555b1524ca8f2a93c6
SHA5124ef54884246731814150590cb3115b5724edfde69eb22cec3da09d381df756948bd1ecd3c21fee4c704fd9583a4a12243797441706703b733a06c3c6a82033c2
-
Filesize
221B
MD565685c8f3aab6321198a9a2436ac9427
SHA1d1a4007f34241c15a3086ddaa25411101f7d6d37
SHA2566f31acf34cd2400078d1d0e6a460ab12a55811aa9a454dd0c07d6c913e48fbcd
SHA512090f855d14b1fe16eff5df14a94322d742cb6b67fd2028c402fd739df20b0b621d527e6d9100e2f33802b1bb0dbca1940e5be557671837f6235e5acce02895ab
-
Filesize
221B
MD596f8954a8d0b97c8d9985cad2637df32
SHA1ff31b963e15a24e03eace7c564bf11f32d5934e6
SHA2566c77c206d2504bbe0e5cec1154ed815a4fb189e43cb8bd06e12afe499b3a2bd0
SHA5129ce765a0bf2eac0fa218d76e836f79f39d658bbd2a0745a3061ae37980b04e2e4a223621c433a4feedaf2ef0354af523c2508a2684a63e5352bea19afcc9580a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5645c1928fbef5364b90994eb78d8588c
SHA1c9358552fbf75d859a85c89622d01ffe37eb9674
SHA25603bae5e2ae4edef27e8ee123876d772f62df889d54b1f68f47dc5cfb7a3c6f37
SHA512993ef85f662c8f30f00a7f4b88dbe620e3f8fa62a6037115bab577d43939438331c3995dd3d9405954a2bdf75954a620dafbe66d2ff961723cb2dcef83060896
-
Filesize
221B
MD5cb0b89567f2824a6d1ee0459d4573099
SHA1065af58ea21649c17aa1e5d81fa3264625eb5653
SHA256071fec8cc659d9278d5d261d2794eff133603d51385f1e9313e632dd62a4eed8
SHA51246803dfe0f216094542445ffcf4a67c17191407fd4e9391df9c618b69c0894bc0e72569309af3dbbdf8d21baf929c96f88b41fe5f8c31178e7a522009cb6f053
-
Filesize
221B
MD5a52adee42ef0cc5bd40ec2cf365e4816
SHA1f3989216aaffcff88a88902ca62b324dbd8c3451
SHA2561c7378fc87ce1a052671e6379a8db5c05884776851235a346c6092cabc1dd6f7
SHA51203d04af9b46d9a7ffb434a30e13bbd2b5eb8b0960f136bd8a2513cd91145e9d8c0206e9aa150060fd1210931d3eae1039937a7d19200773160192608ac50bbdb
-
Filesize
221B
MD502e529a28bd6ce2f2fdc46b9f1c7c216
SHA146bdeb447675e8d2bf6b8bf1df2cfe54235a54c4
SHA256245b7daff3b42dee5ffac926df3705a4dee4ebfddc268d053a2c8a459942569e
SHA512ce79c0b641667bd9c32d8608a2de3649e7e519391afa167944811d490105bd32962eb2a180a810c13f582d81046af76eba671aaca99147cc89bb460bc63af126
-
Filesize
221B
MD5a2f7d2a0b081d7f752a4751d60b1e3a6
SHA1c310a424c56168feae23a6b5c35f51ebc77cefb9
SHA256b3dd15a5c1e0bacc24d87eefe69068a4d216a7b75f8f2edb1f554970674b6a82
SHA5127304a3d21351585c4fc13a7271b4ebf955e3ba89cfba1e3b4efd7e11bd85245677b1197b327b065e6cc3dd5fc609dfbb6b53341941825b95773d197728fbe470
-
Filesize
221B
MD5c835736a78bf064d529557a9a6ec5e2f
SHA1a78bb8495ea7e3bdd252fe853798ed3da16c3b95
SHA256feac4c82a98572c17d699e72e64218add82e70a1b0f6f2345870ae6b8a7e6877
SHA512f9ae3e90f949d80e334d2cd7dbea153b6b15170ad86e675fdb31101d3d9d91a1cd65b4e470e7579b7e783f70de83aae91b6d3b0c77ef6207bb2952f0ed99a768
-
Filesize
7KB
MD50d48d9ede5e58d4735709893bb584d7a
SHA1129f1edf37b22134ef57066472d16a84ec047de5
SHA256bef3356be89308492bc2614c543d4ea8ba781a8ee02cacb59a5a96708c4b4560
SHA512d669fa044f3377081f2751d79b83bb633ef5c685b0a8787791497ca02c5234095610c670573fa29bd7cc10ab7632bf91c69a7079ac60f3f8bd622bed5790ae8c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB