Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/12/2024, 20:10
General
-
Target
JaffaCakes118_1230a11d8f6e8555c8c8a18083659ee91e4749283f8f908f428399ada45470da.exe
-
Size
1.3MB
-
MD5
a0f9dc5d7bf5378ec878f41180b9c876
-
SHA1
bdba0fc60ee92c340b57f28cce29c0ff55f829a1
-
SHA256
1230a11d8f6e8555c8c8a18083659ee91e4749283f8f908f428399ada45470da
-
SHA512
799998fd3b865ce1237c2394b948a798e2fd7e34407d10d51efec0866a1d2324415f7bd6018b6ab981c0a2d82b76a8de3f0c1bc26b6ef6eee01e9ca284d5c213
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1230a11d8f6e8555c8c8a18083659ee91e4749283f8f908f428399ada45470da.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1230a11d8f6e8555c8c8a18083659ee91e4749283f8f908f428399ada45470da.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gKSvXanOy6.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"9⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Windows\Prefetch\ReadyBoot\winlogon.exe"C:\Windows\Prefetch\ReadyBoot\winlogon.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5caeb2e85e0a8cb3fc5f1c557834a025d
SHA1d8d6c62bf3e5156b8ebbf029757549702f14aa54
SHA256b177d8030e015ebe36d96fa1a8125b8f122040d99acf82d8f884a304bfcbd36f
SHA5128236d0ed85e1e7a61d1b03f1d5819e7c5e578996f17842bd957e81e574014f24ed7368342672830e03666a3ac3e9422b384b7acb420a4cf1c6c7a46f43ea1d6a
-
Filesize
342B
MD5774be9d4c7a95584cc2fca607311df6b
SHA196cbf8e0a9ef365b33233f17a0643ae77771299f
SHA256d8da223af60cc2996b63f67c9b80088ecc71804881394e694fb484c4c82e1e92
SHA512aeea52458d816661b8220e4990b4a5fc2364813397e772373700953a7aca25a982e733e8520687c1356966516fbbbcd2928616b1d766b49af687009219481e8d
-
Filesize
342B
MD5156bb4b1b18c1397c367d2b2507fb786
SHA1b353992c05cca4bcf7cd2da8539547a1e6e1d2f7
SHA256ee5ae8f2c5ef8af8e1916946678bb497cde0e9c95b7ff3ba0e63043acc4a3383
SHA5127e0fc44be4fee14dcb397fd6fbf93f7a4238b8ab4e5ecfbcf3cabe95d8b6d87f750f081a7f97d3fddf7f8a90866edb7c9ce8cf73f252aed270e5570c1eb5cdd8
-
Filesize
342B
MD52afe4dc92800307fd7fe0e9cdbffd4e7
SHA1702a2f3cac84e97064272e0b269d9caca24a5133
SHA256def4c8d741933e38c940e66bc42d49e3f52aa5acb73569619aadc732a201de81
SHA512afc9a8c61aaf3782ff8908c415cb8465a9f812cda6781ec446dd8a453d6dc111a5b9033574fb11fe21880dff1e4feac5f3af86145b3cc956a14e63cd8e3f66e7
-
Filesize
342B
MD55658e64ac4786fec4c535e40e22da8f1
SHA1763dd1000d884dbffa7efa55d4c09023c4a906d2
SHA25662c3e1ccef140c89bc3f96de9aacbb9b2baae13be7a54e27f25f8fd02100f35a
SHA512483053e9197bd8a46f7e9b83525bc6e89a73c2d7527ee5de228481e434f9956f7d6d335480b207007caaff4196e88b35a911ee0c231ad2fb679428029a4b23f6
-
Filesize
342B
MD50c352ffce357dcddea5603db2e3dd355
SHA1a450bf561e52c091f3139283fbb6563cc9c3fa95
SHA2567bfba0f6249350ac7211fd0a12dc915075766d941aca939ed51b4e6804cd1bf5
SHA5120b6b56172481d33804ec7c20538b9640eb532c123972acd3cca17c277621b6425eaee129d12bc9d991c48b421f7bd41304a2c0a9449997a88d612e2eeb962ceb
-
Filesize
342B
MD57ff7fff6a2c1a49f43a4a7593739e384
SHA1410bc976a30760b001ca823c7bbbab5c331f8d29
SHA256b5a33116ca170196e235476012377e75117b238ce21c167b17dda21843cb3c1a
SHA512f5a83f1330988278f16397dadf10c74148cb336e3586bf158579410085d6f25d7be4320343b460cbd5209d3162ef5e1be13913afbcc57cd14d7f9ca2fbc0cc46
-
Filesize
342B
MD5892ac6e301a6d23be29136ad9d1ecb4b
SHA14bfb6c133049120e7a065bd567ff34450e6dc1d6
SHA256b8789a70c886d11c9e0c126d58a99c007cccef3a8836107fd523bc9aca9c1dee
SHA51285c86b4e6d575c0d541ce39901b91470a25864697ed5fd45209e6a47d634c3d240080cf54c03854b9edd866c3f53f8223078baaec40f5bf7ef0d63d8d9f68013
-
Filesize
342B
MD5b80c734a6f76f85856c166a2ca10b4c2
SHA142e7b9353b944869d8a7dc3a8f6d29e0ebaeb976
SHA256a226e4fc8baf2ca3b13128b18cdfcb3cc046058e9bc94aec1a273ed2863bc929
SHA5126e24e897f4d50079de468f34705b77448c5a8301c34ce4bf809570c0555318484e3e11fd8429d0e50ecebfe5b3f89737c6efb97fc2cd6e3305297be55c951f7a
-
Filesize
342B
MD5c238e393458089fd0a69fee165705b61
SHA1cda9dc1cae0888f8b1f45152084ef371375effea
SHA256bded76ffa717287e31d17bfa4fef09fd083fe9bfc35a3233d32bfe6a02b6bff0
SHA512072f208758098df2a82ec5fc4f8d392d9bb90f110bb924ba030f2fa29dd13346e1c443eb6623a89385e0d27ec9f514962d9d8144a2e575a6918d42f4b9fa5ea6
-
Filesize
207B
MD5664fe4e3bef7360dedce8c0aceb4d746
SHA1c91d010725e20eee5e1d021e9b73bd6c0f973404
SHA2561c3b67f2acaa0cde01e643ccb1db377c97c5087c725c8bc8ac255b94691d0d3b
SHA51260223f19e442b92df52bb411e90c1353ea6994c6a9336450c034d4399194c94530bf09f912e065410d3afacd0ececc55617d63424483786381538dcd2df0ed7a
-
Filesize
207B
MD592dca89726636caee8d1c57c8003f731
SHA140b15a2ad18f1d883c7a792c173f14a67f109328
SHA256022df413e2b5fba9455f4c6e25375e1a01f406bae950b7f79ef4cfd5d861b2b5
SHA512f4c8d888833c70ebec6b8630278d713a7698720c287d33f43bae7d31c2fc51fcacae0a2b8747b1dc6b5278b87e20fb9418bfbf36f0233fcf2e216a50cb2fae6c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
207B
MD5645567495d0d1b4ab8d6c6a601290bdb
SHA1b40c8272a732c430f173792d3d5396f8f841c53a
SHA256532253ed56f453d4b5fd5f4928a6f90f52d364d32d80a6e21cb475cf37cd6bb5
SHA512225e4341d7c9614df33efcdb61c110532e79dfd0e8590d65cf0fbd3cb3a1cba43417381e71a2051d1c03d79c97b2a12c3b935cbc0f4974f2ff82908a9da5b669
-
Filesize
207B
MD5bb7e3a623098774e7481c8ceaef9140c
SHA18242cca4fd56e088bc9516da32b948e6b43ab9d6
SHA25681ab5ebe843dea0a7c06d3ec37001019852a23ef6d3f6f56783c61d2f7cb156d
SHA5129cbf700075a25f04a0b87d2c2febdeb21494c563e6d6fc71244253598b1f9e83c8fa20f03d0983be26d52631888c1749f80a3a9e22401aa77df1a9d27d40d900
-
Filesize
207B
MD59ccd5541f9ed8b45cc57f7a8d349c16b
SHA136a018878aebb09bbc0bf3657f4ab336d033cb92
SHA2562e4694c305a2adc983bfc6a1b230faa9c32865a8634fb0b1b205f8e7c41bb494
SHA51218e4430324e24099224550dca451bbe9506edfebad3637671adc9469f27f54eb8279806ef53ad43c639db5d4f0ca7c03b0da5bc97eb2097c9acb0623e0ec61b3
-
Filesize
207B
MD5e351ef45695020a03884431310365709
SHA1d8f26f2d8cfdb8b4fb5df2966dab50045564b31d
SHA2569848fcecef71afa8dc5681d3667f76cedc445139339bcda0f93aff05cd4018e9
SHA512efd78c970631654cfb993ba7b37012c83f6eb6d236a160622eee159c7f8f69a97aa40fe08ef5bc102eb4255ed744859b488cecfe5199abf21a361c9d756e4a68
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
207B
MD529dc0fbdd58c17a5e653796dc3f3acc0
SHA19782be887ce0c74f8ebfc104f6c060ed45feb0c3
SHA2561ec3b883e7d467e3a83394b3c6fd2d4f869e1aa5f12fc17a2d09887c22abdce8
SHA512100229c30dd4f027837dc33c947f52d3ff82b8571234381cdfd35ac01663d3003918621f2a19e507f072360ad95e24b0c6a9dd04a89e0ef79061c8bcefe47c2c
-
Filesize
207B
MD5d1fb1cd58de999e817b1b8c514c77dab
SHA135e77021766a708304b264d8206183fccde10c44
SHA25622ce4dd060f43e170520e79a99e0d078c720031e0012851c44f73a230aecfdcd
SHA5120a64e0168318edf54c7b474a231295f9ead82db133221c94c8d7d00c64326de0f7644907ce95c52e2d917d9c7ee1b80a880ebb7edbc489fb977cd715a0b6d502
-
Filesize
207B
MD5481da633282f9375b989942433f67d4a
SHA104ec3109534965231d0f4a8b2c6735f517ee5498
SHA256aa1f08175db25e6efa6ae54ffc021f41a6d05b5d0d195df7c1403f8852d709e6
SHA51209e66f67e6a186718b78795d32d1c884e361dc94048f523bd158da0a36a4f09f75b2bea5387c5c3ae0193e7301b252341ee55f676a38b6cffdde1b6ce7ebfb5a
-
Filesize
207B
MD5a117235ac8e66792439e8189397428aa
SHA17cddb720aa088a266afbed47ec76a69073565f62
SHA2567bf8440e56b6b1a6532dc7366d84c98c5f909a1fded2781d0a51ae6c41ebd186
SHA5125407d0db2d1df8f7ddf04797b772096913b2571d9bdc0101d8dc147298424f7b8b4820b4f96598e47ed1a2c166a0c2c8d32ef954925949b2be6545734551a037
-
Filesize
207B
MD53ea4a96db4f987d3d80ab0db9bbce102
SHA13da814b93aa9f3930851bd330712e2c39051afaa
SHA25680ad6384d5020ed2384b668b33de89c4e6b80fc2c1694c7d2d909885da4e61d1
SHA512f496a9c9e09cfb2f396e65d2c0d4eb34276dd66d69ced6830e3b15704e1ad8f235e1859d25fc204fb3d6aca0b23c90c854526062aa3de227f5aaf6cfa81b07cc
-
Filesize
7KB
MD5a5daecff808b678ebe65397c208ccbc9
SHA115f77fbc96eed762e5d127bab9e386694b0d3182
SHA2560f3d5fb5fa140ad33c5724448b2e6eb18668d4b276e4e5175b81898481ef315f
SHA512f75e104d94a1760bdce962fc7f6642967159d8968cda614014a40a3ac86566030e89e16efd7409015f2c1ed83a2b1e88d965c4e8769b558f4d997620b9ae9cc3
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB