Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 19:38
Behavioral task
behavioral1
Sample
JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe
-
Size
1.3MB
-
MD5
cb10490bf0f347f0fcfdb2799270b73a
-
SHA1
02d258f594c46471c385c72fd765d58cc2fc87a6
-
SHA256
7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe
-
SHA512
ff8bd9ec4326ead22774f00c7f9d3dc70b57f56fa7a3c59f0b50276d9dd622790b9a623367f5f6790944152add6a891910f3065803e34d02d923566f081a6749
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2620 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2620 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016d46-9.dat dcrat behavioral1/memory/2984-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp dcrat behavioral1/memory/1940-41-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2548-294-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/1532-355-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1720-415-0x0000000000F00000-0x0000000001010000-memory.dmp dcrat behavioral1/memory/1972-475-0x0000000000FB0000-0x00000000010C0000-memory.dmp dcrat behavioral1/memory/652-535-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2056 powershell.exe 880 powershell.exe 3064 powershell.exe 1820 powershell.exe 2560 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2984 DllCommonsvc.exe 1940 audiodg.exe 896 audiodg.exe 2820 audiodg.exe 1096 audiodg.exe 2548 audiodg.exe 1532 audiodg.exe 1720 audiodg.exe 1972 audiodg.exe 652 audiodg.exe 2740 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2996 cmd.exe 2996 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com 4 raw.githubusercontent.com 20 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\csrss.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2740 schtasks.exe 688 schtasks.exe 740 schtasks.exe 3040 schtasks.exe 2592 schtasks.exe 2644 schtasks.exe 2200 schtasks.exe 824 schtasks.exe 2940 schtasks.exe 1184 schtasks.exe 1676 schtasks.exe 308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2984 DllCommonsvc.exe 2984 DllCommonsvc.exe 2984 DllCommonsvc.exe 880 powershell.exe 1820 powershell.exe 2560 powershell.exe 3064 powershell.exe 2056 powershell.exe 1940 audiodg.exe 896 audiodg.exe 2820 audiodg.exe 1096 audiodg.exe 2548 audiodg.exe 1532 audiodg.exe 1720 audiodg.exe 1972 audiodg.exe 652 audiodg.exe 2740 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2984 DllCommonsvc.exe Token: SeDebugPrivilege 1940 audiodg.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 896 audiodg.exe Token: SeDebugPrivilege 2820 audiodg.exe Token: SeDebugPrivilege 1096 audiodg.exe Token: SeDebugPrivilege 2548 audiodg.exe Token: SeDebugPrivilege 1532 audiodg.exe Token: SeDebugPrivilege 1720 audiodg.exe Token: SeDebugPrivilege 1972 audiodg.exe Token: SeDebugPrivilege 652 audiodg.exe Token: SeDebugPrivilege 2740 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1532 2288 JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe 28 PID 2288 wrote to memory of 1532 2288 JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe 28 PID 2288 wrote to memory of 1532 2288 JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe 28 PID 2288 wrote to memory of 1532 2288 JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe 28 PID 1532 wrote to memory of 2996 1532 WScript.exe 29 PID 1532 wrote to memory of 2996 1532 WScript.exe 29 PID 1532 wrote to memory of 2996 1532 WScript.exe 29 PID 1532 wrote to memory of 2996 1532 WScript.exe 29 PID 2996 wrote to memory of 2984 2996 cmd.exe 31 PID 2996 wrote to memory of 2984 2996 cmd.exe 31 PID 2996 wrote to memory of 2984 2996 cmd.exe 31 PID 2996 wrote to memory of 2984 2996 cmd.exe 31 PID 2984 wrote to memory of 2056 2984 DllCommonsvc.exe 45 PID 2984 wrote to memory of 2056 2984 DllCommonsvc.exe 45 PID 2984 wrote to memory of 2056 2984 DllCommonsvc.exe 45 PID 2984 wrote to memory of 880 2984 DllCommonsvc.exe 46 PID 2984 wrote to memory of 880 2984 DllCommonsvc.exe 46 PID 2984 wrote to memory of 880 2984 DllCommonsvc.exe 46 PID 2984 wrote to memory of 3064 2984 DllCommonsvc.exe 47 PID 2984 wrote to memory of 3064 2984 DllCommonsvc.exe 47 PID 2984 wrote to memory of 3064 2984 DllCommonsvc.exe 47 PID 2984 wrote to memory of 1820 2984 DllCommonsvc.exe 49 PID 2984 wrote to memory of 1820 2984 DllCommonsvc.exe 49 PID 2984 wrote to memory of 1820 2984 DllCommonsvc.exe 49 PID 2984 wrote to memory of 2560 2984 DllCommonsvc.exe 50 PID 2984 wrote to memory of 2560 2984 DllCommonsvc.exe 50 PID 2984 wrote to memory of 2560 2984 DllCommonsvc.exe 50 PID 2984 wrote to memory of 1940 2984 DllCommonsvc.exe 55 PID 2984 wrote to memory of 1940 2984 DllCommonsvc.exe 55 PID 2984 wrote to memory of 1940 2984 DllCommonsvc.exe 55 PID 1940 wrote to memory of 1712 1940 audiodg.exe 56 PID 1940 wrote to memory of 1712 1940 audiodg.exe 56 PID 1940 wrote to memory of 1712 1940 audiodg.exe 56 PID 1712 wrote to memory of 2064 1712 cmd.exe 58 PID 1712 wrote to memory of 2064 1712 cmd.exe 58 PID 1712 wrote to memory of 2064 1712 cmd.exe 58 PID 1712 wrote to memory of 896 1712 cmd.exe 59 PID 1712 wrote to memory of 896 1712 cmd.exe 59 PID 1712 wrote to memory of 896 1712 cmd.exe 59 PID 896 wrote to memory of 2332 896 audiodg.exe 62 PID 896 wrote to memory of 2332 896 audiodg.exe 62 PID 896 wrote to memory of 2332 896 audiodg.exe 62 PID 2332 wrote to memory of 824 2332 cmd.exe 64 PID 2332 wrote to memory of 824 2332 cmd.exe 64 PID 2332 wrote to memory of 824 2332 cmd.exe 64 PID 2332 wrote to memory of 2820 2332 cmd.exe 65 PID 2332 wrote to memory of 2820 2332 cmd.exe 65 PID 2332 wrote to memory of 2820 2332 cmd.exe 65 PID 2820 wrote to memory of 1676 2820 audiodg.exe 66 PID 2820 wrote to memory of 1676 2820 audiodg.exe 66 PID 2820 wrote to memory of 1676 2820 audiodg.exe 66 PID 1676 wrote to memory of 3052 1676 cmd.exe 68 PID 1676 wrote to memory of 3052 1676 cmd.exe 68 PID 1676 wrote to memory of 3052 1676 cmd.exe 68 PID 1676 wrote to memory of 1096 1676 cmd.exe 69 PID 1676 wrote to memory of 1096 1676 cmd.exe 69 PID 1676 wrote to memory of 1096 1676 cmd.exe 69 PID 1096 wrote to memory of 932 1096 audiodg.exe 70 PID 1096 wrote to memory of 932 1096 audiodg.exe 70 PID 1096 wrote to memory of 932 1096 audiodg.exe 70 PID 932 wrote to memory of 1160 932 cmd.exe 72 PID 932 wrote to memory of 1160 932 cmd.exe 72 PID 932 wrote to memory of 1160 932 cmd.exe 72 PID 932 wrote to memory of 2548 932 cmd.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f7c7bda6fcb4205a896f40083a5bc265cc6e7042044d1a88da39f781f024bbe.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2064
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:824
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3052
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1160
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"14⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1804
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"16⤵PID:1508
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2312
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"18⤵PID:956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1540
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"20⤵PID:2412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1036
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"22⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2392
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"24⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51925f260357a4ca4b9db7f55916ec0c1
SHA1123960132c01f25a631c9f904503e7c996513930
SHA256708c638a18c13709834071a29ae2cf2161c2087325f030c9c7e8102cdb4817be
SHA512c54b5ba506462f30d688eeeb9f12812caa325d278c07ce204f86b708c7b646f05be62f843d12c74d4fcea5803df000e313f729297a8f66be946fdae6e3f17726
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b01abce125828be80dedadbfa462877
SHA13feafd3fcc567f22677aad67d2ebc79c0298bb68
SHA256b30c501521a90ddac7ad5bed57acf5b68e4eeadc66ecdf96064efe5ea5d5743a
SHA512d41eaa236de4fab9ed94ec350b6d77efecae2ddba10edeb41843c5b8af79d8f0a82702bd9183c4310565eb3b2453d5817871998fa8aff5decbb21e1640e63481
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf79275b2621c1a39277f639b2fc0bee
SHA167df98aab0ff771c07b3aebc206e8cfe21e0af68
SHA2562be17d2d589c9d1ed337d323eb249e9cc68c8ae9bfbc715aa8ca2b5db1f6f03e
SHA51243283b333f0408477c25c75f3179cd1c57ea100aac23a343174a8174b4cb63eee720dddda073b8c8d6576247c4a3b87eeb3acfaf0ea744e66966b7dd8f7c647d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a48b0c22ee02980147db07c018be6bcc
SHA16070a5a3650e0fd9f94e5db643e323cd37707beb
SHA256200a2375ee8bf30df6a489833fbd6064b423a68d154de7b4160a0783f0970113
SHA5127289b9d4e7d0f50f8b4bf690258da0b5f6b76e667e03fb495fdba3c48c61f6f590fd196c73e08e7bd3267a6ca96d7dfd01e72d5dc5c177df0111fff415155465
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ece5c3fa3425a984942102254a5d6dd
SHA1da3b44448d3268d19756cce224abf86b9776147c
SHA2562d016347979dcb0f12e58b983944e206026b24edc726c554dfe36585b28a0608
SHA5124e0bce9afabc92ed93b0898b070a9857b96eef849e9374bdb8f4c924c3d3126dfc401fa2b1436ec9dfd3d600caa1397a26e25904f8cc1b2efd23a0bedb39cb5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7b40a9ba5a403fe6e57c91d1a887705
SHA1202e6060a3e10f6d7dad3cb74fcc646db70f958d
SHA2560999837ed0a129e3c7073d02b2bfb18956bf8c5fe5e23f59e25b5aad2a320f10
SHA5129bb1957feedbfa2bd3f9ec2bce702fa86bb71c6407ba9402d97a801cf71630c2133ef1520b3e27c96926f317ded69f1e3362dee76b8e70ac67ec7ae6e446795f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b865c20b7c0d1f02c33035abf3395bc
SHA138f111f86da1217cd666b01cfab03a2379ddba32
SHA2560923e16aea4ffe58e3cc02ba8f47c4c8236f9d5dad2b582af3a5a97e477ee7eb
SHA5124b2e2be1f15762b80871550cbf695736d61b308c237a2bae4d066b25300df37a0d672f8b18e3032313f17bc730e78291a5f0d4c6199090d814eb6d8cba5246e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af3ce8270c8505358a0cbe58a7f1e40a
SHA1a18c8caf0d7bae091444399c243d165ab89cef5f
SHA2560fad3dbbf1a71568717bc7df43a3027901ab96997774d1dcb76cec3f342845e4
SHA51267974540ebf1c4e86ac8ec3a970773442ade3de851cdaa55fc2f1e8c021801aafe682e9e3f560050c370d4447ecdf857ea415d7d90516fa15c4503aabb7ce433
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c146caeb897f3c98724d0a179e015c9e
SHA1dafebc86776c9c8be7520cf46b068150d85d13b7
SHA256163a8fb5a5e41c30671806dc3faa4911313683a77ee755d1a200414a5888813d
SHA5127465d66c48ec31c63688aeaa9b7971d2115cb85ddbfa3445e23f0cd0f416ed566110ba6fb48331db186e3976199751cbb2eac87a0e61f3753553022e6a885758
-
Filesize
225B
MD5c0b9e762f86e64f8d51985c414c38525
SHA1cf43038745d6c25daf406a2585a5e412c2a84274
SHA25628452d1b54e4bac809991b32616e594880168ecd14bb54eb96098bc95cc4c10e
SHA512556aff479a540fbcfb77a950880bfae9f3583b3101f0012b8c986a877b328d24fe72a1481d4a69916002a8922b04ffbfe2bd177b597fe24a88d70e4975887f73
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD59ee6277aca6a752add5fe250b09dba3c
SHA16512d1737029baff34243ca601d481471d884f45
SHA2567695d0e919bf045cc65410d6ab371bcdae49effcc844020ff5c2405c7ec509c3
SHA512024c2c470046834ae03253ba25a5b0fbd9d1c370d8bbc9ea4b9ad426e0a740b4520745c2f42a77c9b52d2944a7bd2587f96cdeaf3e1f2852dca501e8fd063ccb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5a8588f453350b8c28cfd9ffc2d0ae5b4
SHA120b12b219b2d8e371ede6f24951301440ae6d01a
SHA2562cc0aeb933e2f330f048943dbece144f2cbeb75e745a6d7ff8750cf41f2dbbff
SHA5121a83001c878fdab8512cdffbe9b992522e334221d6ea349a4c0e4317b1399a98ba13941147e4eafe63a7227cdf72ecebf1dca6b8739dd9f454d24c073b1415a4
-
Filesize
225B
MD53e8ad0935fb022f046f9a0cd53775a47
SHA1c13b58810a20e6fa2fca756e5083f8adc6c66fab
SHA256519d7d55f5bef3a32f691697b7e9d3d9ff7102c65eea1323761a1f93aa66e4c5
SHA512fc0038128278172364db5226ee08d882046d9c0f9d083caace5d0539b705293b4b1e7e9c4329d52f06b2e8e465b4db5c8bdf1a22ab0dc12acd09bb3d2f382409
-
Filesize
225B
MD511b852df1043b9ddaad9b168935903bf
SHA1137b2ac1ae3514cb754ba23247133dbcc78dde6d
SHA2569e3951b24ded6c991e79f4681f4e92522304ef9244b161eb50a1e25c0d719115
SHA512c12e8640a713ea0092286ce4331431d74249564a5b32311e198edb8d897e3e668e3d5fe616d57ce11471fa3f2a41afdccdbb3ef4b0e590575ae488a17f760afe
-
Filesize
225B
MD5fac0d03c76d648e069ccadaa00ca8b2f
SHA1d319ee35dd9066a0457e292b4b27e33b120f1b64
SHA256fab181a66957acb74b5fb44c38125b9deaef9b2bb5e227e24fa551a817cc7209
SHA5120a478119c23f897d3c0ea354119c0d44a1e4101849a649a566964cd3cfcb7d34f09c6d3a0a9d015ae5af5cbdf2a43fcaf98c25f64586580843dff964ec3aa07b
-
Filesize
225B
MD50a123f1de85cc425bc2d636e9494a1f1
SHA1a0dfbbe8300ef96092dac240cdbc905174c34b2c
SHA256f521ed6e30cbecef672845be338f2ef4627d0464557fea016e04a1237567dd2b
SHA512d82ed11cf74c04c2e2d1da7740497fc8968bed4efe4993e52e7abdd085c453b1702c6f024d8ed75cc9fb4680066c24e38aeaba54cb0f119805c1d8ce17496816
-
Filesize
225B
MD5c7f572fcde02b8a1b02bb6cad38e46e6
SHA11eadc9e88c4768c1c6a10f7081135acf14be2374
SHA256e0f72f91f9a699898dd7b5320e5fe9f369d0a379251d3f96e22d2cd1704ec380
SHA512048097732a810ba4fa509ab13b0287b90bd2f1b731d598c9e7762461866c52b2f7f80c6b49d15c478f55667dabba0bdf1685a01fab8fc9248be5313ff25aa883
-
Filesize
225B
MD51b974b3e4047ffc8915fe277598fdded
SHA172ee4be5a4a8598b8ad255a38ebfbfc1ea11b172
SHA2565afcbdaab0e9c83811156c61993661b271c6c5330612bf1103cc00170dd10163
SHA5125d229ecf8437f674b5a51be966e31fdc4d065e15a272ce6ad1ce6f7e21421bb8499fbc866208a37b340574ea426cb58c77264a33404ce5a9380c655e612d9211
-
Filesize
225B
MD52b5132466af3ad538d98aa7c32b658ec
SHA12b48f557e1cf1718b5dcf06e28da56d795f6660f
SHA25685a29c4ffcce85591d9019e3f58d36532f91b59269ed45dbfe4d8ec8577dec9f
SHA512f23dd76fabd571d813612a08789b137385a82b2fa5983025d8bf1f4b1ac84c11623374aaa40b52d2c0d28a9e6376d10513a97d37d7463a10dae12df9a48e32d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD540098db1f0e6e5fa08cae12c05e538b0
SHA11da1b7a38fe8303b7681659d97801bc994a79a94
SHA256be6c0b1bae77c932d852c05f8c076ad9c18510b11bc998d743d11af2b2a1085a
SHA5124111a7cdbeadd3c2c381424b7e0e5139fb726671320a9ff6cf9bc2efe9e2311146446ea0cd78184fc601421738898e6917a6ea5c2f12f6b3a342cf75c31f284f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394