Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:37
Behavioral task
behavioral1
Sample
JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
-
Size
1.3MB
-
MD5
d7ed442df55737938dd4ba8f5f52c79f
-
SHA1
5e251104b9b34059a2c402d137969acad1d6ae9b
-
SHA256
fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0
-
SHA512
3cbc9e24e25650767625f4277583c2c551d9ead499e46d259283fea70488e4427f019fe56ca68c7664bcd0f59d9e2d8a0ed57a7c0ac57f05e75e1c98de10c3b5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2608 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2608 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015d29-9.dat dcrat behavioral1/memory/2824-13-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/2428-66-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2424-126-0x0000000000800000-0x0000000000910000-memory.dmp dcrat behavioral1/memory/2900-186-0x0000000000900000-0x0000000000A10000-memory.dmp dcrat behavioral1/memory/2820-246-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/772-366-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/3036-486-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2204 powershell.exe 2760 powershell.exe 2620 powershell.exe 1696 powershell.exe 340 powershell.exe 840 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2824 DllCommonsvc.exe 2428 Idle.exe 2424 Idle.exe 2900 Idle.exe 2820 Idle.exe 2428 Idle.exe 772 Idle.exe 340 Idle.exe 3036 Idle.exe 2876 Idle.exe 1548 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 1036 cmd.exe 1036 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\es-ES\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 584 schtasks.exe 2972 schtasks.exe 1940 schtasks.exe 3028 schtasks.exe 476 schtasks.exe 1228 schtasks.exe 2028 schtasks.exe 2292 schtasks.exe 2536 schtasks.exe 1332 schtasks.exe 1800 schtasks.exe 1028 schtasks.exe 1276 schtasks.exe 2156 schtasks.exe 1324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2824 DllCommonsvc.exe 840 powershell.exe 2204 powershell.exe 340 powershell.exe 2760 powershell.exe 1696 powershell.exe 2620 powershell.exe 2428 Idle.exe 2424 Idle.exe 2900 Idle.exe 2820 Idle.exe 2428 Idle.exe 772 Idle.exe 340 Idle.exe 3036 Idle.exe 2876 Idle.exe 1548 Idle.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2824 DllCommonsvc.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2428 Idle.exe Token: SeDebugPrivilege 2424 Idle.exe Token: SeDebugPrivilege 2900 Idle.exe Token: SeDebugPrivilege 2820 Idle.exe Token: SeDebugPrivilege 2428 Idle.exe Token: SeDebugPrivilege 772 Idle.exe Token: SeDebugPrivilege 340 Idle.exe Token: SeDebugPrivilege 3036 Idle.exe Token: SeDebugPrivilege 2876 Idle.exe Token: SeDebugPrivilege 1548 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2756 2644 JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe 30 PID 2644 wrote to memory of 2756 2644 JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe 30 PID 2644 wrote to memory of 2756 2644 JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe 30 PID 2644 wrote to memory of 2756 2644 JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe 30 PID 2756 wrote to memory of 1036 2756 WScript.exe 31 PID 2756 wrote to memory of 1036 2756 WScript.exe 31 PID 2756 wrote to memory of 1036 2756 WScript.exe 31 PID 2756 wrote to memory of 1036 2756 WScript.exe 31 PID 1036 wrote to memory of 2824 1036 cmd.exe 33 PID 1036 wrote to memory of 2824 1036 cmd.exe 33 PID 1036 wrote to memory of 2824 1036 cmd.exe 33 PID 1036 wrote to memory of 2824 1036 cmd.exe 33 PID 2824 wrote to memory of 840 2824 DllCommonsvc.exe 50 PID 2824 wrote to memory of 840 2824 DllCommonsvc.exe 50 PID 2824 wrote to memory of 840 2824 DllCommonsvc.exe 50 PID 2824 wrote to memory of 2760 2824 DllCommonsvc.exe 51 PID 2824 wrote to memory of 2760 2824 DllCommonsvc.exe 51 PID 2824 wrote to memory of 2760 2824 DllCommonsvc.exe 51 PID 2824 wrote to memory of 2204 2824 DllCommonsvc.exe 52 PID 2824 wrote to memory of 2204 2824 DllCommonsvc.exe 52 PID 2824 wrote to memory of 2204 2824 DllCommonsvc.exe 52 PID 2824 wrote to memory of 2620 2824 DllCommonsvc.exe 55 PID 2824 wrote to memory of 2620 2824 DllCommonsvc.exe 55 PID 2824 wrote to memory of 2620 2824 DllCommonsvc.exe 55 PID 2824 wrote to memory of 1696 2824 DllCommonsvc.exe 56 PID 2824 wrote to memory of 1696 2824 DllCommonsvc.exe 56 PID 2824 wrote to memory of 1696 2824 DllCommonsvc.exe 56 PID 2824 wrote to memory of 340 2824 DllCommonsvc.exe 57 PID 2824 wrote to memory of 340 2824 DllCommonsvc.exe 57 PID 2824 wrote to memory of 340 2824 DllCommonsvc.exe 57 PID 2824 wrote to memory of 2744 2824 DllCommonsvc.exe 62 PID 2824 wrote to memory of 2744 2824 DllCommonsvc.exe 62 PID 2824 wrote to memory of 2744 2824 DllCommonsvc.exe 62 PID 2744 wrote to memory of 1780 2744 cmd.exe 64 PID 2744 wrote to memory of 1780 2744 cmd.exe 64 PID 2744 wrote to memory of 1780 2744 cmd.exe 64 PID 2744 wrote to memory of 2428 2744 cmd.exe 65 PID 2744 wrote to memory of 2428 2744 cmd.exe 65 PID 2744 wrote to memory of 2428 2744 cmd.exe 65 PID 2428 wrote to memory of 2784 2428 Idle.exe 66 PID 2428 wrote to memory of 2784 2428 Idle.exe 66 PID 2428 wrote to memory of 2784 2428 Idle.exe 66 PID 2784 wrote to memory of 2652 2784 cmd.exe 68 PID 2784 wrote to memory of 2652 2784 cmd.exe 68 PID 2784 wrote to memory of 2652 2784 cmd.exe 68 PID 2784 wrote to memory of 2424 2784 cmd.exe 69 PID 2784 wrote to memory of 2424 2784 cmd.exe 69 PID 2784 wrote to memory of 2424 2784 cmd.exe 69 PID 2424 wrote to memory of 2168 2424 Idle.exe 70 PID 2424 wrote to memory of 2168 2424 Idle.exe 70 PID 2424 wrote to memory of 2168 2424 Idle.exe 70 PID 2168 wrote to memory of 2856 2168 cmd.exe 72 PID 2168 wrote to memory of 2856 2168 cmd.exe 72 PID 2168 wrote to memory of 2856 2168 cmd.exe 72 PID 2168 wrote to memory of 2900 2168 cmd.exe 74 PID 2168 wrote to memory of 2900 2168 cmd.exe 74 PID 2168 wrote to memory of 2900 2168 cmd.exe 74 PID 2900 wrote to memory of 1648 2900 Idle.exe 75 PID 2900 wrote to memory of 1648 2900 Idle.exe 75 PID 2900 wrote to memory of 1648 2900 Idle.exe 75 PID 1648 wrote to memory of 2712 1648 cmd.exe 77 PID 1648 wrote to memory of 2712 1648 cmd.exe 77 PID 1648 wrote to memory of 2712 1648 cmd.exe 77 PID 1648 wrote to memory of 2820 1648 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9eylyvpAgI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1780
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2652
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2856
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2712
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"13⤵PID:2776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:916
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"15⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2928
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"17⤵PID:2520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2336
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"19⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2744
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"21⤵PID:2940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:604
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"23⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2912
-
-
C:\providercommon\Idle.exe"C:\providercommon\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"25⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5070dc09cdb5e5f22fc1b403de6e9181b
SHA1601f93fcd3eeb212a4dc4ef9896e8b922cd3a83f
SHA25635c5b1f92056f1736cca031f21d0ff667f5f25f5f7f79a8005df2e2f18b06a9b
SHA512abbe068009129bfbd08c7932aef34a7635a01cb5f29afd8cea6014fe013c2cd34b08781a0f41759d10de4b23babfd7a457a40c6266c8f2cff2b93d65dbcb3ed1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5422e23fa57222d2884c233846d70466b
SHA14ffc736f8ccc861c2d4a372361f435c524a7566b
SHA256939e11e30a53d3df12ad0983aeafec5af657543df7737485ca858a2954e70373
SHA512c8f757bf0fe0314224592347acb2207268c8bc3dbcb870892178b46535e7d7b7db75fca29d0bb19eb6bcb0b78ab756496ac4b1f58f11fdff45d91078a550bbd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4a92cb81c1d660f5107fdac17b96fe2
SHA1e0574a97632119e14898b9bf3367dd4126ab87fa
SHA25657c44519e03748985b3fdc3958991c97e73dc9bc9975740302c76c3e2889984f
SHA51263cdbf57fe64f22230bf1e5b74ec30ca5ab138c8dc5b1f6cfff4307351317b3fc0ae618de2a8e174939ab8e1bff3cc90be603a00ece5a8df9251dcab46305524
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f930998372441074ff70830eff126575
SHA12581f8452dfcebe83ec5d5bad81f9ff811cc32a1
SHA2560a32b1ab702e897ebb07fb5c34ef213cbfe8ad468807b2c1e044452cf09e6c93
SHA5126636d20b0037d8f5b92b1c6c68f50ad9a4bd3f39013be0795d73fdf639bf45a17c87c9613e854fb3db553caabfdbe57329fcb5b51da7595f0841425e8bb38c80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b085030468ef1cf9c2da8c562547053
SHA19879abfe36a72ef89fedec88fec7fcfebcea8eb3
SHA2569d0d5f3299acd1618e7b69787e7f2b204accd74d989982ccbb8154ed40079ae4
SHA51291463eaf3d22d2983919c8a1f2a2c8a7f0660260dd0b93ac601d9e97bc844f63a1317a9e4cc81da933b87b350c7c7149309dd89291864a3c9c08066bff0d9c27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b2d97f59b50b655179a2fc8f6cc6948
SHA1c61258975bfadbee07192461326b37ed5af839ae
SHA2560d1b12e808dec5a1582efb2c50900326efba988f5f9e6cf9ec66612d0af3f9c2
SHA51213cd0b1d5bc149208fa80dd8cf33bacc801449e39cbaab3adc72c8d9baa3f950970fabf57016da658c7567812abf7123e5c188a7f45b1f8f5e6f404a8a8d7b06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5487dbf00d50f5549b0de27d3bda5e35f
SHA19dfdb488086c169d90feea0ff899b2b698481b4f
SHA256b25ee707a566bbdcdf1b6c6875de0853f11a06106c76a33ff1571deaa51f8659
SHA512ee3070ee9d81e63dcbee9190f872df90301f1a076c52e49caf405726362a0f764b1ae1ad02e14ccad0e559e9e7661f4722aeaaa782bf8fa6387ab5084a7893fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55758374b8368eba1d17c57927f0d5941
SHA1f401b779e97a31f1f484ee3c4b155daafcec1e1e
SHA2564d29aa4b2455b13415c94790e61127fd80e2ab9b5ef5bd99223eecd0d99d9081
SHA5125879a8bd61d7e73b100c70853337f65a02fde799770e6cb9f18009373c17019403dbe7a4aa4b679e37e04099684ac3a4507b1e6aad04b6ec410d655c3192d7c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5943a156298207003bc0d7c26962b1fb1
SHA1aa46d6714985124ecbb62f0884bc1af944bc56b6
SHA2565b796c8c2206c31b18418aff98be2c952069c3cc3352e09045c6940890e0e11b
SHA51214c918a5d2cca8b4f440d305ac1b4cd343d63751bb06b083861637debf7f1b65e50fea702785499c5225f005ebc127a45ebaf823d218a3efd96bd18c91b1a34d
-
Filesize
191B
MD5af6ef4390110f3a265a970401d4e2727
SHA1b12d9061a32b985bdef0631c2a315278973c2f58
SHA256ec555f616d5e918f078aefcceef5fac9d0e01d41dd4bd8062ce84a4c8e876ca0
SHA512be11cc314cc08875eb64fc5a2d39a52c2fa6bc63741b3520368e2f8bb80c902f8b8d1f7def48fbd1bb7d1bb466d294c0e6d1934dd1132489809193c82f8bc461
-
Filesize
191B
MD50c42ca69564cfdc75b31f238215f7986
SHA13e506603a2dbbbe057889ed25f25078ef59a9cbb
SHA256a6f75818b71198067cc96d8cab489fce20a682e8555102cad1bccfec02fb7217
SHA512d6026e94638009ce7ffc1f6a26fd6eed13280e5e8f09994e0d9249a381a4d94afaa62d5164b20f19ef3ae3fca805bda3e56b2784a03848abfb50f89118dcf53d
-
Filesize
191B
MD5ff35cb428c231d99d4e3d32394b2f4a5
SHA13beae0b59b5b152db0d184600bb5b7fe6ac958b7
SHA2567bd05c1658bbc38e13795e7e3c76aa45522e1eafa267676e6b0a5b92177655bd
SHA512a8434146c557d50dbaf50936d8dc02af67c359a89308fe030740d9f18aebd9d2c17281b6681c0b703ba2d6be4e3c1fe2aa8d3e2c26ff977fd594510f0c860315
-
Filesize
191B
MD5558cd5c5e8d6ee2bfe239aa504cce02d
SHA10a714aba26d8e513fbefbcf39e32d06549ad013b
SHA2567d62a1daa7e1a052961051f0474295c8ff9b2fefc433a299ba2017d220dfb9ed
SHA512170322b49dd946a1ffc100e9f5b8c301ca808be1413f96c92d5da08d877035d0c74f981a4b6004f63dc9e01d4edb9a6c103604dcc565d677cdd92b3862f49a51
-
Filesize
191B
MD519e93d3ea8baf1e6bd2d2c48d5704232
SHA11dfef7e83f8ba8ebea36fe64281bd52ebd17cb3b
SHA256fd91b10ac36bf040852a59109da3153bf3662c132491bbe04a5a7530e08fdee9
SHA51249fe6f4cf909e95296f233bbd40c4d4238a483f9f6750e7ad5ddffa1de4d7b53b02bc358fe87f6729de8e54af0c1280817a2a226bdd50811f21de06e3c6ccc5a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
191B
MD53fc1c8eac1a6825c9a0d4685d235f0d1
SHA136fbdbbd3be80af91b198c369c0f6ddfac97da33
SHA256df89b257fbf8032d31d77b327ae192bacc9cacb2dfe40f9b7f744bb95020452d
SHA512b61df64ee86140ec437c3c6667c33f5811beb741017a0f1546c659bc1995f22ec7547b2b8b7f57329dee6aeee2a1638cbb7cd9cd1284c4241d240408d617295a
-
Filesize
191B
MD595140cf577a91dead5e1244fa3b37970
SHA18edd4ea03063a7f485a80c711cb14a80c9fb131a
SHA256391d04437346870e8393e3701ad76923b735d514578451477418bd6f5857eedd
SHA512942394f4779dd918bea714c3175e5c424d022a22dcab4eb0ca65cd28ee95f33bea54a14db766b4c77f8431fdd721dacff430ecfcb81700a21eb75b1e746b5e3f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD5b86ff1e6425419d51f92d4e5caa00f11
SHA1f6f4ef757c7bb6f9c46cc2fc78625f9c28976383
SHA256252ebe891bc0e95afd053db194ebd2e8a50e996039e1118733975c1cf32b90b3
SHA5128ffaa2df4b7db5fe81f66ec469837aa1d17fab50f0dd5db28f798870abf8df9cfbde2fd0e731755ad073114c258ec42a485acb19d6b1be99b0421c875b986f9c
-
Filesize
191B
MD5d36ec1331b129d34b5e5063f8633dfd7
SHA1546c5cb7643025d50a6ccb0c0dd03b130cf87c47
SHA256cf6e7ed8ea53904533aeee25645a0fce3eefbdff23c0b968b227ecd68849fe4e
SHA512a48a4c767336ac26d28593740b4be1938bf18737dd937fdd35ad29cd37d2b3427ae2a90d1496141068c6b0dd6b928eb68d01574d9400ce08d72b4421d277495c
-
Filesize
191B
MD53d1f102d28971858dad9d2e769626948
SHA154ba6daa932be52537809d0865dc5423d1f12853
SHA2569068774851550c0eb5e24e2f6c507af0289e6947ab1d5004517722d4e5b0a438
SHA51232b8172329910b0f439fc45abe73598ca1c50623245ce6527d5849208e59a8e038468cfaa3521f3cbc6d2005ed905b9c8691b71b93cafeb84fb58e6377f5e051
-
Filesize
191B
MD5ab93dc1ee65a48d69e40fcf49f829ca7
SHA1abeb030c51cafd5cacea528f96606e27cbd7de88
SHA256437903c26ed173ef283d44beccdc535eff5c7964487f7e712e6b9bb14b577586
SHA51292112b1945e64dc8d1a38ba1e0089e7b949773fd37a8e1f2b8089755c89827e0cb8225712af1e03d7a5e8935a7372d807091d0632269cf559f6786ace01ecb5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6FREHR1QKE9WBTRNU63.temp
Filesize7KB
MD54f901e00319653473ed03549ea6c87f5
SHA15e04987522fe373c72ab46010b4f5f2e28cc26fb
SHA256528ff67ebd22e77ec4f35ecdb7b280cdbc70d327ff9ad4a9398589c8a43b9946
SHA512993b92562bd7ecd514f04b92ef58d2014933d26c2cd22e6acba1b895eb398ac3b82f1ad54af7b0971e1bf2dbd6f061e313586414550f12a792364455a33d4736
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394