Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:36
Behavioral task
behavioral1
Sample
JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe
-
Size
1.3MB
-
MD5
0998a2f8643bf7b7e0eab2f78bdbd047
-
SHA1
61d8766431ad23ebddc58979e189893647af1756
-
SHA256
b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38
-
SHA512
f4fff7834a2f18b14337cdb8cd778b54551710e15b23a87e82ad59fb7168291693530d7b7b072b7bde8d3b75b79520599a40b9c10d6c712f78930599c6f30d46
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 3052 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 3052 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d69-9.dat dcrat behavioral1/memory/2532-13-0x0000000000B40000-0x0000000000C50000-memory.dmp dcrat behavioral1/memory/560-65-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2328-183-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/676-243-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2760-303-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/2976-422-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/584-482-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat behavioral1/memory/2672-542-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2024 powershell.exe 1488 powershell.exe 2008 powershell.exe 1636 powershell.exe 1992 powershell.exe 2016 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2532 DllCommonsvc.exe 560 lsm.exe 3068 lsm.exe 2328 lsm.exe 676 lsm.exe 2760 lsm.exe 2644 lsm.exe 2976 lsm.exe 584 lsm.exe 2672 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 cmd.exe 2964 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 17 raw.githubusercontent.com 21 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2928 schtasks.exe 1032 schtasks.exe 2368 schtasks.exe 2732 schtasks.exe 2724 schtasks.exe 2116 schtasks.exe 1460 schtasks.exe 1772 schtasks.exe 524 schtasks.exe 2712 schtasks.exe 2704 schtasks.exe 2688 schtasks.exe 1200 schtasks.exe 2028 schtasks.exe 1656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2532 DllCommonsvc.exe 2008 powershell.exe 2016 powershell.exe 1636 powershell.exe 1992 powershell.exe 1488 powershell.exe 2024 powershell.exe 560 lsm.exe 3068 lsm.exe 2328 lsm.exe 676 lsm.exe 2760 lsm.exe 2644 lsm.exe 2976 lsm.exe 584 lsm.exe 2672 lsm.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2532 DllCommonsvc.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 560 lsm.exe Token: SeDebugPrivilege 3068 lsm.exe Token: SeDebugPrivilege 2328 lsm.exe Token: SeDebugPrivilege 676 lsm.exe Token: SeDebugPrivilege 2760 lsm.exe Token: SeDebugPrivilege 2644 lsm.exe Token: SeDebugPrivilege 2976 lsm.exe Token: SeDebugPrivilege 584 lsm.exe Token: SeDebugPrivilege 2672 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2616 2376 JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe 30 PID 2376 wrote to memory of 2616 2376 JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe 30 PID 2376 wrote to memory of 2616 2376 JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe 30 PID 2376 wrote to memory of 2616 2376 JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe 30 PID 2616 wrote to memory of 2964 2616 WScript.exe 32 PID 2616 wrote to memory of 2964 2616 WScript.exe 32 PID 2616 wrote to memory of 2964 2616 WScript.exe 32 PID 2616 wrote to memory of 2964 2616 WScript.exe 32 PID 2964 wrote to memory of 2532 2964 cmd.exe 34 PID 2964 wrote to memory of 2532 2964 cmd.exe 34 PID 2964 wrote to memory of 2532 2964 cmd.exe 34 PID 2964 wrote to memory of 2532 2964 cmd.exe 34 PID 2532 wrote to memory of 2024 2532 DllCommonsvc.exe 51 PID 2532 wrote to memory of 2024 2532 DllCommonsvc.exe 51 PID 2532 wrote to memory of 2024 2532 DllCommonsvc.exe 51 PID 2532 wrote to memory of 1636 2532 DllCommonsvc.exe 52 PID 2532 wrote to memory of 1636 2532 DllCommonsvc.exe 52 PID 2532 wrote to memory of 1636 2532 DllCommonsvc.exe 52 PID 2532 wrote to memory of 2008 2532 DllCommonsvc.exe 54 PID 2532 wrote to memory of 2008 2532 DllCommonsvc.exe 54 PID 2532 wrote to memory of 2008 2532 DllCommonsvc.exe 54 PID 2532 wrote to memory of 1488 2532 DllCommonsvc.exe 55 PID 2532 wrote to memory of 1488 2532 DllCommonsvc.exe 55 PID 2532 wrote to memory of 1488 2532 DllCommonsvc.exe 55 PID 2532 wrote to memory of 2016 2532 DllCommonsvc.exe 57 PID 2532 wrote to memory of 2016 2532 DllCommonsvc.exe 57 PID 2532 wrote to memory of 2016 2532 DllCommonsvc.exe 57 PID 2532 wrote to memory of 1992 2532 DllCommonsvc.exe 59 PID 2532 wrote to memory of 1992 2532 DllCommonsvc.exe 59 PID 2532 wrote to memory of 1992 2532 DllCommonsvc.exe 59 PID 2532 wrote to memory of 560 2532 DllCommonsvc.exe 63 PID 2532 wrote to memory of 560 2532 DllCommonsvc.exe 63 PID 2532 wrote to memory of 560 2532 DllCommonsvc.exe 63 PID 560 wrote to memory of 1104 560 lsm.exe 64 PID 560 wrote to memory of 1104 560 lsm.exe 64 PID 560 wrote to memory of 1104 560 lsm.exe 64 PID 1104 wrote to memory of 2820 1104 cmd.exe 66 PID 1104 wrote to memory of 2820 1104 cmd.exe 66 PID 1104 wrote to memory of 2820 1104 cmd.exe 66 PID 1104 wrote to memory of 3068 1104 cmd.exe 67 PID 1104 wrote to memory of 3068 1104 cmd.exe 67 PID 1104 wrote to memory of 3068 1104 cmd.exe 67 PID 3068 wrote to memory of 108 3068 lsm.exe 68 PID 3068 wrote to memory of 108 3068 lsm.exe 68 PID 3068 wrote to memory of 108 3068 lsm.exe 68 PID 108 wrote to memory of 3032 108 cmd.exe 70 PID 108 wrote to memory of 3032 108 cmd.exe 70 PID 108 wrote to memory of 3032 108 cmd.exe 70 PID 108 wrote to memory of 2328 108 cmd.exe 71 PID 108 wrote to memory of 2328 108 cmd.exe 71 PID 108 wrote to memory of 2328 108 cmd.exe 71 PID 2328 wrote to memory of 1484 2328 lsm.exe 72 PID 2328 wrote to memory of 1484 2328 lsm.exe 72 PID 2328 wrote to memory of 1484 2328 lsm.exe 72 PID 1484 wrote to memory of 2640 1484 cmd.exe 74 PID 1484 wrote to memory of 2640 1484 cmd.exe 74 PID 1484 wrote to memory of 2640 1484 cmd.exe 74 PID 1484 wrote to memory of 676 1484 cmd.exe 75 PID 1484 wrote to memory of 676 1484 cmd.exe 75 PID 1484 wrote to memory of 676 1484 cmd.exe 75 PID 676 wrote to memory of 2072 676 lsm.exe 76 PID 676 wrote to memory of 2072 676 lsm.exe 76 PID 676 wrote to memory of 2072 676 lsm.exe 76 PID 2072 wrote to memory of 1492 2072 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2820
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3032
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2640
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1492
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"14⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2740
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"16⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1180
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"18⤵PID:1092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2004
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"20⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2876
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"22⤵PID:1948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8d66c31ba12ae062080bf8f2012a16f
SHA1617d54c9faa7d17ba83ca7f0adf83e4d461586f6
SHA2567d59852b41c4715f3887e396407652a9a1de4250d0bb754cbba71015825f87d3
SHA51279f15b48c938ed351734de9f76848d17763046dbe038eb6485b9a3f300d889ab307aded66a53b458564b17c39bcaf1d9937a21afa3f146839d74300595bd640b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5610c5fc0e0d2975909293f47c415a44b
SHA1e896a49482af78097edc2892729edb496b57a77b
SHA25644dd1b37b7cfa1946e63e012d000db5d24dfd037f45ffb7ed20a226b662b5ab2
SHA5126d4cd354312d0e8b7ab3fd2020981f0ff8906e050fd1d00e8c55415d8af5ffeccd8ef8c66d452919d36d1096f3c03ae9b37fdd1a09f97b9000e63fd22a797ba2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5242e13b78564a0740458950b2bc3a599
SHA1ba7d368c5a4efce769da4c5a9a994d18b9e5b549
SHA2565efdd686430bd72c9d214e2f187f491a441ab688d2416ca6d94cf355bff22d41
SHA512915685974512b5fd7a8f32d135c0f029c23b02f9a1012a7712fa79a0afce8a614f0405df107295ac3ca196b57dbdddca9153069ba50dd142eaca91980d518e16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7ca871830d74c945034c85fb62bbf59
SHA144749e0d5ea615d993f55b03055aa2c48fa2bcdb
SHA2563052187ab098df24991fdc3ef3e0c71a540070d86daae98c5763709f6fe4cca4
SHA512713deb1dd80e5facb8cb1428e61aaccab44b5f87f858944fa6fc0e66a799ac70bb528d1b187b677747629af09533fb9294cb47263944568edaefcf8825521f92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be6d3f17e7a18d87b46873d5ff93f199
SHA10295a235a29d6484a70cce188aec09bb0fa0d5b7
SHA256ef9a6a93ac0461e0f3ad14ca88e811ac8729a9b79726281a5582227f7a105689
SHA51220e3aa99a17a677ebb5ac5b713f82612813e000e03dc1df6f99d8eed6e8363e08a812b18ffa03124fc6b12683bffec0192cb7926b4db431590ad15e297a126c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cf4a435ce591cacfd4afd607cad38f8
SHA1ce98788664976d9cc44c44cfbad0f2841666e1b7
SHA2562da689833f656400dafe8ec6511866d29291ad59e9b56d69040fb16f6446b176
SHA51239c6336bf0a9ace05c7ea92cd51a0aec5a4fd623ec026761c29e3521f782aab1fa90f04da3a55564cf69205e212274fb74b98b27baefb5d638ae79f88e0b3687
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ceaf69542787717b7667942b715cebc4
SHA1175a11e35b6b23fca0faa9e309a4e058b027ee1d
SHA2565ac19dddf5f78049fef9e86df62d43efe6d377289ed308d6a54001ae105b9e5b
SHA512fdcf23001be26e5683a7f34d46d5a04ddb4057d8af98b5f898459d6e4f2a5db60547708db441f5b048ed8383f089c1e6c845e314f51bf80318894a1b3de61b80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595f510cf725ffd4ec453ad90eb2d582a
SHA10ffa8fa1d143c1dd5607f866758c4bf065def83d
SHA2566f309b5a4558a1ce944aa30631d1fb28dbf4821238c6be2a18158e7332eb4b81
SHA5120e53f25d5f90c93c324776b83435c470f078782247f189ad3d7aef5156e3f76f5fb9895b51c0d849b8bff7d0f8ab301458002e79a9515f86599b7cb64b9c0607
-
Filesize
190B
MD5d212005ddf019d9b05048ff47d126df9
SHA194be5f9bd495b8b481e02a5ec19c5672b2a06f97
SHA25656fad86664d544d4707cc6eccd838e5cbf88281e59b2c6b23acb0c2abd90be36
SHA512e919875257a02e137e8b32edf23da9a73bb283185b6e615a0ce0a36be7acbc4f501230e3d167c05412b1c7861be88cea12399761869e8b0cfe5f65510ddab9cd
-
Filesize
190B
MD58ad532d8c24cc53775c8b17f7ee27d40
SHA1f62642aad3595767941677ea23cf7a785fecc274
SHA2563bcc4f998ab82e1df3c70e4a6908d2487b848c74e0a0c30c7f7e9647f4b14368
SHA5123309843e8a9fa409f491b5bd206523dcc7d5c40edb87bf1eb9419c85f1b85c9932092c57a2950e6f8b9321201d4ec823ab0a114a0dd267076737c7600273d74c
-
Filesize
190B
MD5d7ba321fb5061f8d7d9e9258e5646fae
SHA1c09d5a16e98169869498bd5a00cfc413a6528992
SHA2564949e7101d98db0b49c3813e254a4423688c46d7d12ae5a11289249427ed1841
SHA51200fae0c2c07eb7b5e39a9b1b8dfb9bdca8a15981ddf104593d9ca647daf4655cba3f241689e7fdc919abdbd66d4a41135b67e7ce282c9401110ee40c1d36025a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5a9d5892fee439cffe7add2d6226039f1
SHA148e514211449d144ed9cd6ebd1ec174ec5b44f08
SHA256d67d070a5b0624824b532e7c3f2d4e491bdb74f3112baa3603facad631060ab3
SHA51201415340545b61f300f2f4263eafa57f85b8850a4d8560ec6925d8c7adcd48a3cef99e0aec297dcc66c0d0d95642246ab69ed04bf19ee52d1b9e5cc6a85eaa54
-
Filesize
190B
MD5351d28a3986f0c0ecd62e2217bae02b8
SHA1308e2cb650e43d2613f4cdd866c0458344ba8f28
SHA256f3efddc52667920f107ebb17b2d2bca9841d10a6c036a54cde9f8b72a877cef2
SHA512abbeb93fcf741ac14d298ec19ff20efbeedc7a47800459daa56a5d703cf2fa4f626812fc71fb32b91f4dae062b9ea6c68abebe59a3f75e2fb01af985e9b673ff
-
Filesize
190B
MD5c94380df6de43218d9f196de429e027a
SHA18c9e9f7dadc0beb1ec492ec622f99944c9bd53d1
SHA2567e6cde92844d368457e519e76186a89a0554042dd1cc93d25b17b8376bd7b7a0
SHA5126f281e5b7267ef0fd2ab4ac54629050bfd293591a62e2a16c5bfc4871da2973252fae334ffc42937e41cc7d14b6a13b503a06b77bf73d16e8555e8b146e2f2b9
-
Filesize
190B
MD56ca500488e449c4bfd353a421e312e9e
SHA12a32e08373976f7ddb51224f2c4ab3a88d8218e3
SHA25688145e0a111ddf6852be73113352ec5d6f18cd1cbec16695eeeaba6f82da1545
SHA51274c2b904ecac428bff89df90ef82b1769925106b53f0a25b0092fbc62cf1c465139335e62bb758dad94f913456c1dcbf71a4fdae034a340d141f5e8c79035da8
-
Filesize
190B
MD58e9b7517238a31e3e7cda11b63d6d428
SHA19858ff7f3bb325dbcd925a43416f704ff19c04ae
SHA2565f8c911dda30ea569e830e6b3100d28be401dc1682e255b8eaed4805c9927bff
SHA51233248dd8fde364bdbbf0cd76549419877b831f70d98374ca5a9f8822685b2068e8a2efed16c32e17091d2ed264c24fafee491c0fb59e63f34deb4825c76494b1
-
Filesize
190B
MD54fdea8c82f6ce406ffb4b2d419d9e461
SHA16a6b05e3c4fc68145b8fae05fca6193f5b9d46c3
SHA256634c1273613d307da7b02f235bb33b91dec2b55625a5d973bbac6273b801c709
SHA5129925a12d5a5de256cbae0836515240f7fee3973a345d75ea3cc15beb00c295a9a780cbcbeb53fb2281cf6d95279e83a2a637e01716b2a83d90488e8549dbda96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55f8ddd7eef14b8347cbb62296450a9a1
SHA1a87bd124822efe15642919ffa7eed3f9118309e2
SHA25634bcfd0dee332d2220b55c457afaa6bb0e68fbcb7b2e26a4124cb55fb58f3f39
SHA512a2da0cd4599737ab531daf0d4549a1c6db8109c48930762d0eb5610449d871c69d127acb92da06ed711b35e053b1b19cc864e7268b65356a6a32fd6afea01262
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394