Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:18
Behavioral task
behavioral1
Sample
JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe
-
Size
1.3MB
-
MD5
ece36ae77bf422e4658737054f617a94
-
SHA1
1da918f476f888a02bf8923d8cfdb96e6edb106b
-
SHA256
cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65
-
SHA512
3b253c4a03f4457bf1a9b7895583ba4f357717cdf337b08fb947f00af8bf3be25dbddfd4c3d38bcf36fe04b8513171413f83130da8f7aa3cd9fefbc1f0cb6a08
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2868 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2868 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x0007000000019470-9.dat dcrat behavioral1/memory/2888-13-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/2632-56-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/1064-175-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/2928-235-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat behavioral1/memory/2548-295-0x00000000011F0000-0x0000000001300000-memory.dmp dcrat behavioral1/memory/1560-534-0x0000000001300000-0x0000000001410000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1732 powershell.exe 1728 powershell.exe 948 powershell.exe 1292 powershell.exe 900 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2888 DllCommonsvc.exe 2632 lsm.exe 872 lsm.exe 1064 lsm.exe 2928 lsm.exe 2548 lsm.exe 324 lsm.exe 2140 lsm.exe 2220 lsm.exe 1560 lsm.exe 2328 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2812 cmd.exe 2812 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 26 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Journal\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\101b941d020240 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\f3b6ecef712a24 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\es-ES\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\es-ES\24dbde2999530e DllCommonsvc.exe File created C:\Windows\CSC\v2.0.6\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\debug\conhost.exe DllCommonsvc.exe File opened for modification C:\Windows\debug\conhost.exe DllCommonsvc.exe File created C:\Windows\debug\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2212 schtasks.exe 1892 schtasks.exe 1444 schtasks.exe 2668 schtasks.exe 2900 schtasks.exe 2852 schtasks.exe 2872 schtasks.exe 2132 schtasks.exe 2984 schtasks.exe 2796 schtasks.exe 2700 schtasks.exe 1876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2888 DllCommonsvc.exe 2888 DllCommonsvc.exe 2888 DllCommonsvc.exe 1292 powershell.exe 1732 powershell.exe 900 powershell.exe 1728 powershell.exe 948 powershell.exe 2632 lsm.exe 872 lsm.exe 1064 lsm.exe 2928 lsm.exe 2548 lsm.exe 324 lsm.exe 2140 lsm.exe 2220 lsm.exe 1560 lsm.exe 2328 lsm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2888 DllCommonsvc.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 2632 lsm.exe Token: SeDebugPrivilege 872 lsm.exe Token: SeDebugPrivilege 1064 lsm.exe Token: SeDebugPrivilege 2928 lsm.exe Token: SeDebugPrivilege 2548 lsm.exe Token: SeDebugPrivilege 324 lsm.exe Token: SeDebugPrivilege 2140 lsm.exe Token: SeDebugPrivilege 2220 lsm.exe Token: SeDebugPrivilege 1560 lsm.exe Token: SeDebugPrivilege 2328 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2156 2580 JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe 29 PID 2580 wrote to memory of 2156 2580 JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe 29 PID 2580 wrote to memory of 2156 2580 JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe 29 PID 2580 wrote to memory of 2156 2580 JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe 29 PID 2156 wrote to memory of 2812 2156 WScript.exe 30 PID 2156 wrote to memory of 2812 2156 WScript.exe 30 PID 2156 wrote to memory of 2812 2156 WScript.exe 30 PID 2156 wrote to memory of 2812 2156 WScript.exe 30 PID 2812 wrote to memory of 2888 2812 cmd.exe 32 PID 2812 wrote to memory of 2888 2812 cmd.exe 32 PID 2812 wrote to memory of 2888 2812 cmd.exe 32 PID 2812 wrote to memory of 2888 2812 cmd.exe 32 PID 2888 wrote to memory of 1732 2888 DllCommonsvc.exe 46 PID 2888 wrote to memory of 1732 2888 DllCommonsvc.exe 46 PID 2888 wrote to memory of 1732 2888 DllCommonsvc.exe 46 PID 2888 wrote to memory of 1728 2888 DllCommonsvc.exe 47 PID 2888 wrote to memory of 1728 2888 DllCommonsvc.exe 47 PID 2888 wrote to memory of 1728 2888 DllCommonsvc.exe 47 PID 2888 wrote to memory of 948 2888 DllCommonsvc.exe 48 PID 2888 wrote to memory of 948 2888 DllCommonsvc.exe 48 PID 2888 wrote to memory of 948 2888 DllCommonsvc.exe 48 PID 2888 wrote to memory of 900 2888 DllCommonsvc.exe 50 PID 2888 wrote to memory of 900 2888 DllCommonsvc.exe 50 PID 2888 wrote to memory of 900 2888 DllCommonsvc.exe 50 PID 2888 wrote to memory of 1292 2888 DllCommonsvc.exe 51 PID 2888 wrote to memory of 1292 2888 DllCommonsvc.exe 51 PID 2888 wrote to memory of 1292 2888 DllCommonsvc.exe 51 PID 2888 wrote to memory of 2632 2888 DllCommonsvc.exe 56 PID 2888 wrote to memory of 2632 2888 DllCommonsvc.exe 56 PID 2888 wrote to memory of 2632 2888 DllCommonsvc.exe 56 PID 2632 wrote to memory of 844 2632 lsm.exe 57 PID 2632 wrote to memory of 844 2632 lsm.exe 57 PID 2632 wrote to memory of 844 2632 lsm.exe 57 PID 844 wrote to memory of 2764 844 cmd.exe 59 PID 844 wrote to memory of 2764 844 cmd.exe 59 PID 844 wrote to memory of 2764 844 cmd.exe 59 PID 844 wrote to memory of 872 844 cmd.exe 60 PID 844 wrote to memory of 872 844 cmd.exe 60 PID 844 wrote to memory of 872 844 cmd.exe 60 PID 872 wrote to memory of 2808 872 lsm.exe 61 PID 872 wrote to memory of 2808 872 lsm.exe 61 PID 872 wrote to memory of 2808 872 lsm.exe 61 PID 2808 wrote to memory of 1140 2808 cmd.exe 63 PID 2808 wrote to memory of 1140 2808 cmd.exe 63 PID 2808 wrote to memory of 1140 2808 cmd.exe 63 PID 2808 wrote to memory of 1064 2808 cmd.exe 64 PID 2808 wrote to memory of 1064 2808 cmd.exe 64 PID 2808 wrote to memory of 1064 2808 cmd.exe 64 PID 1064 wrote to memory of 1732 1064 lsm.exe 65 PID 1064 wrote to memory of 1732 1064 lsm.exe 65 PID 1064 wrote to memory of 1732 1064 lsm.exe 65 PID 1732 wrote to memory of 2312 1732 cmd.exe 67 PID 1732 wrote to memory of 2312 1732 cmd.exe 67 PID 1732 wrote to memory of 2312 1732 cmd.exe 67 PID 1732 wrote to memory of 2928 1732 cmd.exe 68 PID 1732 wrote to memory of 2928 1732 cmd.exe 68 PID 1732 wrote to memory of 2928 1732 cmd.exe 68 PID 2928 wrote to memory of 1448 2928 lsm.exe 69 PID 2928 wrote to memory of 1448 2928 lsm.exe 69 PID 2928 wrote to memory of 1448 2928 lsm.exe 69 PID 1448 wrote to memory of 1508 1448 cmd.exe 71 PID 1448 wrote to memory of 1508 1448 cmd.exe 71 PID 1448 wrote to memory of 1508 1448 cmd.exe 71 PID 1448 wrote to memory of 2548 1448 cmd.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd490e0c73d4151742246381a61cbc8d67c95aa547f40db250112c354fc7bf65.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2764
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1140
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2312
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1508
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"14⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3052
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"16⤵PID:1292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2216
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"18⤵PID:3004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1844
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"20⤵PID:2692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1800
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"22⤵PID:1444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1596
-
-
C:\Program Files\Windows Journal\lsm.exe"C:\Program Files\Windows Journal\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560227abf7b98bfd51e284f912c6cd169
SHA1a13cf3716b1d74518b08e2e19c19a1dbdaa3e379
SHA2561f0995daa90bcda46cb8ee20ed17fa7c0071ba1c2834d7cfa89abd55604a5461
SHA512fb450709c68aff62b0ac333fda95be24d8ade632e56c012754f6bb905355d7bdf4424c9baefe5e63759ab8017cbcefdef0fff68a6ddf6927a6c080503a4538cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d022e9bccc33f7c169051a84d544e410
SHA16fb71a17dad583031031e373bd494670ff86c899
SHA256f192b783ede0a1d52b7ea597c7fcf809ac8e5af4d46b4ea3584cd08bf3bbfd08
SHA5128287e6e5525bb8f4fac43fff1abbc81f9eccf99c373e54f1fe5a93402f87cefd4ad5ca3e80f1054504ce6b9b07eaef4cfdeea57ada52aace5e4f4d950db2062a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc883e8c0d549b4edc883d7be0c9b616
SHA15ac64b0d11125d7ca77b34852708c5d27d337ba7
SHA256055a36a91481258f89257dddde0c466453dddb2ff4562749f4f616b9a8ce22b4
SHA5128858b741d298c83773c81063b642663d44f262c5bf9c0bb77528b9e1ef6dd12c65da8004c1132b0e623d6268f14e38f0229a22db9fc57fddaa8013720dedbfa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5220f5d6c56c919ee656fbaf8b3fe87f2
SHA14c078cd9edbe9fbf92137e92398a1807b1f89fe0
SHA25620ad7389215008ee6402f8f047c542830a8825879803a25948bd869645473ab3
SHA512407a5bb516975e00fbafcc50ad61da35ea2907792a0d5652e9d999774cc7d1e44494c7d488acd26e55668587d25e6ec07f9b5e7e36616a752b8f48e7b2ede302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584fdf8e48cc591bc0ef7901d591ff20f
SHA12ec67563bfe97a77912a20d3848e644e2e9e8693
SHA2561d185334315e7e491c7c12d3b059b15055a7c8c8fd35c4cef06786de13378a8a
SHA5122981bbe56dbd5b0e9e4d3f344cacb5a84deff521c2ccd2651d3b9273046168c7ed73940490ba3eb076c8ac215b6f4d8a396d908bb1aa3c9255599b877480023c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD563f22d71a455b7764ab35395456a2ebd
SHA173a146db1c4482d3c913372f20f20d7f60752b17
SHA256547ee52ab16d0aa3140442af72c6f9b5ce7718135d766baca54da3b80b5f3e0b
SHA5120df2ed93fcde682e56f25661d6a5f520ebdb2cf1088a358fe50cb381bb197fa90f3718180499c70802ccd76e7a745495ed30aabac16575779fceafa4720678e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535d28f12095637e3028d44d7fc590bf2
SHA1e13cd7e68f3c6b82a1cbe7a288fdc81cb9e3af1d
SHA2566715b148c62eaeea23e7f42dd9fd6cf078c8a49c619b0bc4f7615741f0e305b5
SHA512eb6f90c0cc567daf98e2bd687868544fd1e41d98faccaa3845d8c560740e8c2e893025fdfbcfc0dc696a46bc15ff7f41484d5df669c6171379b704fb9e3b9bdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5976344fb55aacaa2f93d2137aa1ab3ea
SHA127f23e5c8ff841100cffa71fcf3196f6b1510641
SHA25697b017ec0850573ed2b3713203f2764f45040ac8f107e9cac28c4af6898b53ea
SHA512666cc02ce2eb96081ee9abfa12566c5a512f20772509169eb546d7184c1d1583a11814b4e74d4d1d926f5a87ce583a9564a6d099a4cd307e7de33602f3ff8951
-
Filesize
205B
MD58fd7a2349b6be1ddd83c273a35041bd6
SHA1f8eacf76ba73d31ddf7a844551b09fd57cd9648f
SHA256b9eb9fbb353b567db3b73983d86c9e02fb40db3c11801bb32f23ac1ffcf2466b
SHA512c9761cdbf554e7635b018438d96b3e148efcb633cd50a7ffeabda7a12e501c3d2de1456f692bac6282579a14be39c6829683de98359ba417c3ce0a5dce917666
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
205B
MD5a4e2aee70c30b8730b8d2539d6907809
SHA1eb9b30025de8a4e7ca5e3da5a5248fd9126bb60c
SHA256eca10d6d03553cbbd9e543c2f20f044c776096c5da51b5b812dae3a97ed0d362
SHA512ca607a05cf7556fe69cd5552d478d40c62ec27998cf79b4ecce19d52649372e2bf6aa2b720399f015b7b19103ea18160b0faeaf5608fffdc1dbe55f72ec6d6eb
-
Filesize
205B
MD50bc758ace98b292657dd4497bdb60a83
SHA143f557ef535c93f199cbd319ee3151933cec4d3c
SHA25660b4ed789f236fd233660c747ac60684fb67a1bac48a68da326f210dbd030e14
SHA51299ce1d0f986b206b8c5ccbffd1adfeb6b17fa352cfd9e7c1d31a0498c19d0811f104a20d161c09aadb2237f001348a785831c39bee13ab842a11ba5c0539c13b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
205B
MD5336a8ae8662cb6176950f8f4434e900a
SHA158d539af01bf41d4cb97305ae8cdd1917ef59363
SHA256b22e7500c0855c9d7cd3449deeaf4b564a11e36e8e7f248829894dfb78972cef
SHA512eb5dd8497b8fcbedb1611a5955b89ff75c7b7d804c23aae2add98df91fe9f032ea30127e888f9e05e7609fccf43f25a530e6ad1fbeb3ad7fa77aff0f5b81b348
-
Filesize
205B
MD5191acb79e38d900bdd10cc5edf3b0861
SHA1e48499fe1c767825b146009bf55ba385cd8dd776
SHA2567507b6f09a4a95dc742220c4f59c967a5f6fe3f79e22f2f1d7ae36824c415e98
SHA5126c080a3005d9aae7d6c604ebf709f7688a82e8abd8d0c42106543b807c8a1897105b512f711ea0a20a23c07bc89210cedd41ad6e7bc892ae8896bd7fe1085ad6
-
Filesize
205B
MD57c6149dd151e5b3af273e0ea50682e7e
SHA12d09170ace3e3f6dc3894964c33dfdaceb521c74
SHA256ef7fcff0d5ba133e83c739dd97951fdda4c37bd2a57cfa338ef329fe1eb4ace0
SHA512fe265ca2da993879399b592edf53417850534f09dd32307449023f31115509355ab4996e8d84b8d816ebc3db12ae70c823c826e78dc0dc66f65887e41f87dd9b
-
Filesize
205B
MD5b347294ceccadedb77eea8a22946bbbc
SHA1ceed5b94051b6f1faffe26e1efb499d02067905f
SHA25672e79c8498cc0785c56697e91b683451afbfc8643a036bfca3c26e206d4235f1
SHA512f3e9d403e6f82865d616740b309fd14c61bcac0ff77512481b41f6577147ac9519557d226904b5ed75c4259784e85c0250d507c1a798e1b55d75b04940744cec
-
Filesize
205B
MD52f25f2bca864d16ffa6e6ee8ea925ec1
SHA1c8c6b0353ccda7a69e616768fdf25ed22965875a
SHA2563dc7735537a47fde8d01a1ad91adeb9277b68972ba86d207e11a372d0b875c8e
SHA512ba233a9c3fb4eb5a015f5a10eec4d3059a0980aca5b544f9d1a452ca63be6f8a57c51601a1b269a53d7606f05b58bd68f6705cb83917f6a0ac2c4f32b7b96296
-
Filesize
205B
MD5593c422cb993f1eb306a66e29dd3225f
SHA105a89648c6509e8944c5ab6c0ebfd99c4ead7e91
SHA25687ff6c43794eecf652f2d02ba28c3029eed339e6c9aaf36202d1c810fa78c701
SHA512c6f095f0f4302dfd927c1ca08db67d8686920e8bf925fbb891356c1f7b3c5f3f825239c77a22e0433c79bba1c1c5b1b2e762c79a527864aaa0033a8ca5dcd249
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c89149d0de94b18142d7d7ab0619402a
SHA1225171055aad03fb6f7e377eaa24f8597659bf6d
SHA2564abd1cc1af06ed2fe69790dd65b5f015db2b4b7b1e3d1aff386f78729706df00
SHA512ce0ee9ad5cc872e6fd6cabacaf0a6cf0aa7df6c3eb185060e15c5bbb4493484e5ab0511aed8490a1eee21f9ead30e6dce3818563fb18c9ea4db62d53d7651e49
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394