Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:09
Behavioral task
behavioral1
Sample
JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe
-
Size
1.3MB
-
MD5
bbdfb5ba585064c4b42268a77e189ea0
-
SHA1
b97a58bb65a7115a51fdd00c493c9e367f464d8b
-
SHA256
0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf
-
SHA512
44edc80522a3f3983aec5bb9ad1697d4e9ecf11ee03cbf84076ed222fbc1fe56471afc1e20f3337fef84499f78df6f4289eca199887105c369d557ff3e33571b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2640 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015da7-12.dat dcrat behavioral1/memory/2772-13-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat behavioral1/memory/2040-34-0x0000000000880000-0x0000000000990000-memory.dmp dcrat behavioral1/memory/1636-125-0x00000000009F0000-0x0000000000B00000-memory.dmp dcrat behavioral1/memory/2820-186-0x0000000000F10000-0x0000000001020000-memory.dmp dcrat behavioral1/memory/1376-602-0x0000000001020000-0x0000000001130000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 320 powershell.exe 2872 powershell.exe 1180 powershell.exe 604 powershell.exe 2876 powershell.exe 2036 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2772 DllCommonsvc.exe 2040 lsm.exe 1636 lsm.exe 2820 lsm.exe 1796 lsm.exe 2096 lsm.exe 1448 lsm.exe 2248 lsm.exe 3064 lsm.exe 2972 lsm.exe 1376 lsm.exe 348 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 1868 cmd.exe 1868 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 32 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 25 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe 1060 schtasks.exe 592 schtasks.exe 2456 schtasks.exe 1880 schtasks.exe 1208 schtasks.exe 600 schtasks.exe 1260 schtasks.exe 2944 schtasks.exe 2852 schtasks.exe 2648 schtasks.exe 2492 schtasks.exe 1276 schtasks.exe 2940 schtasks.exe 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2772 DllCommonsvc.exe 2872 powershell.exe 604 powershell.exe 2876 powershell.exe 2036 powershell.exe 320 powershell.exe 2040 lsm.exe 1180 powershell.exe 1636 lsm.exe 2820 lsm.exe 1796 lsm.exe 2096 lsm.exe 1448 lsm.exe 2248 lsm.exe 3064 lsm.exe 2972 lsm.exe 1376 lsm.exe 348 lsm.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2772 DllCommonsvc.exe Token: SeDebugPrivilege 2040 lsm.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 604 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1636 lsm.exe Token: SeDebugPrivilege 2820 lsm.exe Token: SeDebugPrivilege 1796 lsm.exe Token: SeDebugPrivilege 2096 lsm.exe Token: SeDebugPrivilege 1448 lsm.exe Token: SeDebugPrivilege 2248 lsm.exe Token: SeDebugPrivilege 3064 lsm.exe Token: SeDebugPrivilege 2972 lsm.exe Token: SeDebugPrivilege 1376 lsm.exe Token: SeDebugPrivilege 348 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2556 2180 JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe 30 PID 2180 wrote to memory of 2556 2180 JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe 30 PID 2180 wrote to memory of 2556 2180 JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe 30 PID 2180 wrote to memory of 2556 2180 JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe 30 PID 2556 wrote to memory of 1868 2556 WScript.exe 31 PID 2556 wrote to memory of 1868 2556 WScript.exe 31 PID 2556 wrote to memory of 1868 2556 WScript.exe 31 PID 2556 wrote to memory of 1868 2556 WScript.exe 31 PID 1868 wrote to memory of 2772 1868 cmd.exe 33 PID 1868 wrote to memory of 2772 1868 cmd.exe 33 PID 1868 wrote to memory of 2772 1868 cmd.exe 33 PID 1868 wrote to memory of 2772 1868 cmd.exe 33 PID 2772 wrote to memory of 2872 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 2872 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 2872 2772 DllCommonsvc.exe 50 PID 2772 wrote to memory of 320 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 320 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 320 2772 DllCommonsvc.exe 51 PID 2772 wrote to memory of 2036 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 2036 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 2036 2772 DllCommonsvc.exe 52 PID 2772 wrote to memory of 1180 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 1180 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 1180 2772 DllCommonsvc.exe 54 PID 2772 wrote to memory of 604 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 604 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 604 2772 DllCommonsvc.exe 55 PID 2772 wrote to memory of 2876 2772 DllCommonsvc.exe 56 PID 2772 wrote to memory of 2876 2772 DllCommonsvc.exe 56 PID 2772 wrote to memory of 2876 2772 DllCommonsvc.exe 56 PID 2772 wrote to memory of 2040 2772 DllCommonsvc.exe 62 PID 2772 wrote to memory of 2040 2772 DllCommonsvc.exe 62 PID 2772 wrote to memory of 2040 2772 DllCommonsvc.exe 62 PID 2040 wrote to memory of 2084 2040 lsm.exe 64 PID 2040 wrote to memory of 2084 2040 lsm.exe 64 PID 2040 wrote to memory of 2084 2040 lsm.exe 64 PID 2084 wrote to memory of 2556 2084 cmd.exe 66 PID 2084 wrote to memory of 2556 2084 cmd.exe 66 PID 2084 wrote to memory of 2556 2084 cmd.exe 66 PID 2084 wrote to memory of 1636 2084 cmd.exe 67 PID 2084 wrote to memory of 1636 2084 cmd.exe 67 PID 2084 wrote to memory of 1636 2084 cmd.exe 67 PID 1636 wrote to memory of 2896 1636 lsm.exe 68 PID 1636 wrote to memory of 2896 1636 lsm.exe 68 PID 1636 wrote to memory of 2896 1636 lsm.exe 68 PID 2896 wrote to memory of 2724 2896 cmd.exe 70 PID 2896 wrote to memory of 2724 2896 cmd.exe 70 PID 2896 wrote to memory of 2724 2896 cmd.exe 70 PID 2896 wrote to memory of 2820 2896 cmd.exe 71 PID 2896 wrote to memory of 2820 2896 cmd.exe 71 PID 2896 wrote to memory of 2820 2896 cmd.exe 71 PID 2820 wrote to memory of 860 2820 lsm.exe 72 PID 2820 wrote to memory of 860 2820 lsm.exe 72 PID 2820 wrote to memory of 860 2820 lsm.exe 72 PID 860 wrote to memory of 2104 860 cmd.exe 74 PID 860 wrote to memory of 2104 860 cmd.exe 74 PID 860 wrote to memory of 2104 860 cmd.exe 74 PID 860 wrote to memory of 1796 860 cmd.exe 75 PID 860 wrote to memory of 1796 860 cmd.exe 75 PID 860 wrote to memory of 1796 860 cmd.exe 75 PID 1796 wrote to memory of 2332 1796 lsm.exe 76 PID 1796 wrote to memory of 2332 1796 lsm.exe 76 PID 1796 wrote to memory of 2332 1796 lsm.exe 76 PID 2332 wrote to memory of 1596 2332 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2556
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2724
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2104
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1596
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"14⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2108
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"16⤵PID:2036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2720
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"18⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2420
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"20⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2696
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"22⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1536
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"24⤵PID:1292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1828
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af643fb6807ea16d2716d473535c25c3
SHA1042412790e9f0910abdce34d22da7f9d873cd3fd
SHA2561e946313b975abcbb68a50960a4e79296dbf3d6b1c09c4efd0fae1bd8cc47dbc
SHA512b53c57435551a7947100db9ef4c28e4c7bee9f89af33364bcbd117886babf8e546e43202716ceb692fbb3a71247ff40c5462dc1a7455463e660a9605bc6fda0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c03c7b805532132763c7821064f136ef
SHA1f8de427f1800c1569282b3da00d57988cd3cfd21
SHA2561251cde26d8df57d3414076c4864302abefa8be905bb6fe18d7fc0fe364a8c74
SHA5124463291ccbf5023d8e7ffd2936966a23979f24d72d1760ed2672ea78d1f8c722cd2d4a3cf5b28e8f1225f9c6528a869b94721fc0c881b1d215e9c50dd4d5037f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54af22a948cb30f5b761bcbc53f859222
SHA1ea53afe1281af888977034596abead93dfe32142
SHA25622512a0ec373b93add39c9d8d1f4f0aafbe23865f147d87464607aa7cbeb25db
SHA512a39e321feb6719d78c1bb436c4f0a7838e00f4bd222060d6d95c1c41ec720825dd5dc3810df390bad04354cbe41d7cb4b272bfdefa5ade9549d74bb182cf48a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5200ed242678da3e69b977e67fc12a72d
SHA1355d579b11e21c4c93e27d447be460440f694b5b
SHA256dd8f96b0f19c184b7152494ad41029baa835d24522a823c43c1d2b132f9f1711
SHA51279b1fb4e1b00cbd13e6e0740483e38e2be59187dd51f58212dabfee421a9afaf1c0bc771a3b68ab496419c8d4a605e41253bf99e5fe99672c38d511c4d4ae06b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD506f8f5321ae81d9878229d93bc7ec347
SHA12f513e03cc49ac0277d3cd035ddc50cbf592eccd
SHA25630d2a979bef4fdeaedaebb3d082994f27f7a08ef7b118958f5a220111dbe5bc6
SHA512e84d5db0ee166ab7a27d02153176706742a361d6f7f1e45cc44d2e7aab86dea8059f56502d97296420215ad84575bc19ec16e450605cc3d42bb34ad9cc5f2779
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf406f1ea330d674feaa8b8df4746ffb
SHA1fc75cefa96e820554e453b13e03798076c51b194
SHA256b8226f9b5113d23c8a9d1015c55cd6cd594ecd658a33f65db503058ac21f785b
SHA5123f4196bee7f2493f4f87813e4858d9697cfd7df9ec5b451a95eadbcd46e470d8c9530f3af850bd1cd95070b8af72ae21ee6940e9014e60994643d674905c60db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e79d7a36b1a734f7ef62527bffa286c7
SHA16db92d649454383e98551bd728b83274ebcdbfc4
SHA2562fdb4fc74c103e09f8649f82a8d5621400bfe37c3a5e53d9a3eff17b28a31ae6
SHA512e4e5d0c50da02ee572b2587c90b644fec16a7e0754c1ae81ea24df9f51143d1b0a929bb2db69de823ed1159a45eb852e15bb612b2e10211cfdd184979371a5fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f11730a6b01c30138b4edd247cbad45
SHA1ca9bd6e7f1974b47f560292ff0ce2d7723be07d5
SHA2568881ffd0abb38e73e34e057bb22b7a015820fa8f5846f26012721a9140ae27e5
SHA5123350d0d7ee69e861d2bd324fde01b1ca25d005a12618afb7fcf245b71f6c2852ab5771c60a0707f35af6e30db79b33e4c4328bb0bd03b79601c9ce7c04ae82e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5d43b9d28811c75f5af61d1edad8644
SHA103fed4a689cfe88d804d3ebe3f39d74ded91fc8a
SHA2568fe0b91f75e2832817e4524b29a22b60a00a8a2332a4126781816c28c8b16e00
SHA512146a4b6b7f0609408aeb724ba00df9cbfe3180e2d1c10dded4c55db85fb3197455cae8d67912ea3fec5d81d529fc7980b6c59e4e233bfd571849f846d7ccebd6
-
Filesize
190B
MD50911304f23d4511e232ed1ebd9e5cc2f
SHA18693eff178de3c9bc738dde075c68f10d64b5ec1
SHA256ee082c229a9a187231f34c36eb8d6d3920d55cc3e074960c3422a1c69d58ad07
SHA5129cc85178dd9b33f911469a21a05d9651f8bff840074cb2db216da8ac76900b8d1a1ca4c12b953b30d78d8521ac2dd736f64e0989aa3d1d4460ef2cf79201245a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD50e327413e72d15e7e2fde393b6541d49
SHA1f8b6ba1aae4c1e5b6bb126ac70b772fd1b969801
SHA256fe3ba28d7b82afa22d62764667ae2af1141b398ead9fe713ca20fab52009f022
SHA512108854c96b88b55fbbf2f57fd89a8680ee59621f3b2e65a404f908b9589fbc851f950f9860ec1ef53d10c7d23d44cf86ab8b28a64ac250e1c0fa2fff2862ff19
-
Filesize
190B
MD5b10a6e82b0e2c0f7428778da3bc393cc
SHA109477b9102db7a16ab1df1892a40ba3b2996dd3e
SHA256647fbd2532f50b4a1a594732c9c645e88371200b2eb564c80e2af58e2e038f27
SHA5127d04bce60440dc7191f45e18eb6749e292bdfca7ec3a78ea95b3d6c202b4536df52768952e7fce6ab2428f1b2d7c1bc1c1c9f6fc0cc798c2dc2d43aeb4626f2b
-
Filesize
190B
MD5bb3604cfe115864f8d3825efd0aec200
SHA1b232e841415b294c92586d881f7be8c56d3b9065
SHA25618e15a5a9fc8ada356d9c79640cfb54e374c12bdae3e02bdfc76e7be05d92151
SHA512feb11c92a30fe46634ce8b75a87332324af2a5f3a3ae48611b7760f9c2dbcef9167778c038c3eb4fbb268476faa2d6e99fb882929244ec808cfb04d46798f94f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD5c4d99491dcda05616c102210e809c074
SHA15d4984ff47497dfe0fad4b357e7e3400c72626bc
SHA2564a5272b07b19336d19d063572d3d7ad3600cb0dd719ad17379916525c41cbd2c
SHA5126d653acbdb51d87952dab0782da6ac6859deb3b346240988510514a036a1f7770022400f3169f903ada943e5ec2965454f73b4ca889347829f9db4a64de84af5
-
Filesize
190B
MD5a5599b59fd7fed966f2f573b94027961
SHA1a04b3bca87454ac2e9226b6e98cb0df61f3248bb
SHA2565d121d4b62140db536469666f6f2efc8aa3e350f98530d31be8ceb743ceca53a
SHA5121544eb054a3213a30accee16a786e8982a0746391bcfd934f95d990ca2921f70a3b07a739275e905e409d573cc4f4f3d295bc846bed75d6f3c8e8aa00d63fe31
-
Filesize
190B
MD579479d67c3958307f5f86760973c337b
SHA17166c9709e2025a427e62eba54a2e43a71511f64
SHA2563bdeff7110b556ec77e139a27e734f19894ac5ed9669b04e3fb7a064ba6cc8da
SHA512fc665dabefcc1218da2a14786fa09c397c57bc886437e8b6a2ab529f7b2bcc14230111423f39b81ba0a7e7ac054dcb2124e3d422767ece6c038636ee198b1a0e
-
Filesize
190B
MD552f638605b0d4e8a849d26206c3954f1
SHA19953f5ec8ec9a98db8bf7b50d6d604bed84e677a
SHA25650622bf9a68c707d4886d83d06682d8ed5485d94f3fead124e3e336928217e08
SHA5126862af4f7f9dd06dea37d92eaea6be973d3456627825f16b76d74bf932f2398955047a3b8f6191ca68dbbef8e0b4bff9db6b3644f91cb247d8f3f29817934882
-
Filesize
190B
MD54189820fe92c7d78505d7b7a33fd0e74
SHA16e2d5a60afe2db616f9cb13cf4df54d8ab3d2947
SHA256c6fd818832e5952dd3924cb5a5f386625cbf08f241f684c601e933c651e82a0c
SHA512e90ec4b88ba20946b47bcf67b115518f62d3aeda8147df75be6bad24f7f8fdcd0c92eeadb097f603d8b072e9da901d75025181b18adce8ee940b832acdf94615
-
Filesize
190B
MD5b4934ab696138c1f144acb8ab8106e19
SHA1174d048a2f7c4e0e54adc0a2a164d7b9ed242e74
SHA256bd8bcf62858b92e8603eb3ea607eba6c6822ef1a14b796f5841395bcb5ed21e3
SHA5123390ea3228c9d76fc6dbd30fae8af9b5b5aef4a1543e61e3040007bda9032ffe25860b408bb1676034f1f192628834eb95cdda3184511029f74541abfb10ba7e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d2955540224727a9900f5d2c483bb836
SHA1d9b343d6043b23ade7c60bbb95961fe6cf679e55
SHA2563c3219cec153c9ac2c8aeaaf06b354f8afaf456485d6f85617237fed8f6f05a3
SHA5121a1467440b1e3646ab090b32851545ea214cdeebda6e83fe639cff94516edf1c4f1d3c27e48a8ecc576262ed00a0996c003c780523d4945f0912b3dfe6958579
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478