Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:47
Behavioral task
behavioral1
Sample
JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe
-
Size
1.3MB
-
MD5
97348f7f3bf9e023917bcc8ec55c284f
-
SHA1
d505442ec9c9ec60005c0a9c02913164dadf1562
-
SHA256
fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b
-
SHA512
9cb5a108ccb51fb8a1b215a59dc08030eaee6a7d45c490843455b9effcd319fc27746b2bc104d1ca99d91689ead96edfebb6c6f4150529e420846c0811da5f44
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2852 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2852 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016ab9-9.dat dcrat behavioral1/memory/2704-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/2424-154-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/memory/1748-213-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/1244-273-0x0000000001260000-0x0000000001370000-memory.dmp dcrat behavioral1/memory/2676-689-0x0000000000130000-0x0000000000240000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2720 powershell.exe 1516 powershell.exe 2724 powershell.exe 2800 powershell.exe 2668 powershell.exe 2716 powershell.exe 1632 powershell.exe 2748 powershell.exe 1704 powershell.exe 3048 powershell.exe 2120 powershell.exe 2624 powershell.exe 2648 powershell.exe 2732 powershell.exe 2728 powershell.exe 2644 powershell.exe 2868 powershell.exe 2420 powershell.exe 2916 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2704 DllCommonsvc.exe 2424 cmd.exe 1748 cmd.exe 1244 cmd.exe 2920 cmd.exe 2252 cmd.exe 2904 cmd.exe 1936 cmd.exe 1924 cmd.exe 592 cmd.exe 2676 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 cmd.exe 2256 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 15 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 18 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\RemotePackages\RemoteDesktops\conhost.exe DllCommonsvc.exe File created C:\Windows\security\audit\56085415360792 DllCommonsvc.exe File created C:\Windows\assembly\taskhost.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\RemoteDesktops\conhost.exe DllCommonsvc.exe File created C:\Windows\RemotePackages\RemoteDesktops\088424020bedd6 DllCommonsvc.exe File created C:\Windows\security\audit\wininit.exe DllCommonsvc.exe File created C:\Windows\assembly\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\DigitalLocker\es-ES\dwm.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\es-ES\6cb0b6c459d5d3 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe 3036 schtasks.exe 1904 schtasks.exe 1908 schtasks.exe 1148 schtasks.exe 2084 schtasks.exe 2076 schtasks.exe 2680 schtasks.exe 2008 schtasks.exe 2088 schtasks.exe 1976 schtasks.exe 2312 schtasks.exe 2596 schtasks.exe 2020 schtasks.exe 404 schtasks.exe 2580 schtasks.exe 2632 schtasks.exe 1708 schtasks.exe 2640 schtasks.exe 2056 schtasks.exe 2400 schtasks.exe 948 schtasks.exe 832 schtasks.exe 2904 schtasks.exe 1848 schtasks.exe 844 schtasks.exe 1376 schtasks.exe 1492 schtasks.exe 2760 schtasks.exe 1312 schtasks.exe 1728 schtasks.exe 1544 schtasks.exe 1616 schtasks.exe 3000 schtasks.exe 2624 schtasks.exe 1944 schtasks.exe 2828 schtasks.exe 2448 schtasks.exe 532 schtasks.exe 2560 schtasks.exe 2504 schtasks.exe 836 schtasks.exe 1912 schtasks.exe 2512 schtasks.exe 1500 schtasks.exe 2320 schtasks.exe 2380 schtasks.exe 1188 schtasks.exe 656 schtasks.exe 2688 schtasks.exe 2716 schtasks.exe 1712 schtasks.exe 1568 schtasks.exe 2064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2728 powershell.exe 2868 powershell.exe 2668 powershell.exe 2800 powershell.exe 2732 powershell.exe 2644 powershell.exe 2120 powershell.exe 1704 powershell.exe 2916 powershell.exe 2624 powershell.exe 2720 powershell.exe 2724 powershell.exe 2648 powershell.exe 2748 powershell.exe 2716 powershell.exe 2420 powershell.exe 3048 powershell.exe 1632 powershell.exe 1516 powershell.exe 2424 cmd.exe 1748 cmd.exe 1244 cmd.exe 2920 cmd.exe 2252 cmd.exe 2904 cmd.exe 1936 cmd.exe 1924 cmd.exe 592 cmd.exe 2676 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2704 DllCommonsvc.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2424 cmd.exe Token: SeDebugPrivilege 1748 cmd.exe Token: SeDebugPrivilege 1244 cmd.exe Token: SeDebugPrivilege 2920 cmd.exe Token: SeDebugPrivilege 2252 cmd.exe Token: SeDebugPrivilege 2904 cmd.exe Token: SeDebugPrivilege 1936 cmd.exe Token: SeDebugPrivilege 1924 cmd.exe Token: SeDebugPrivilege 592 cmd.exe Token: SeDebugPrivilege 2676 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2980 2104 JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe 30 PID 2104 wrote to memory of 2980 2104 JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe 30 PID 2104 wrote to memory of 2980 2104 JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe 30 PID 2104 wrote to memory of 2980 2104 JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe 30 PID 2980 wrote to memory of 2256 2980 WScript.exe 32 PID 2980 wrote to memory of 2256 2980 WScript.exe 32 PID 2980 wrote to memory of 2256 2980 WScript.exe 32 PID 2980 wrote to memory of 2256 2980 WScript.exe 32 PID 2256 wrote to memory of 2704 2256 cmd.exe 34 PID 2256 wrote to memory of 2704 2256 cmd.exe 34 PID 2256 wrote to memory of 2704 2256 cmd.exe 34 PID 2256 wrote to memory of 2704 2256 cmd.exe 34 PID 2704 wrote to memory of 2724 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2724 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2724 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2800 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2800 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2800 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2720 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2720 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2720 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2728 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2728 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2728 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2916 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 2916 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 2916 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 3048 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 3048 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 3048 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 2644 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2644 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2644 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2668 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2668 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2668 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2748 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2748 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2748 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2868 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 2868 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 2868 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 1704 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 1704 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 1704 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 2420 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2420 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2420 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2716 2704 DllCommonsvc.exe 109 PID 2704 wrote to memory of 2716 2704 DllCommonsvc.exe 109 PID 2704 wrote to memory of 2716 2704 DllCommonsvc.exe 109 PID 2704 wrote to memory of 2648 2704 DllCommonsvc.exe 111 PID 2704 wrote to memory of 2648 2704 DllCommonsvc.exe 111 PID 2704 wrote to memory of 2648 2704 DllCommonsvc.exe 111 PID 2704 wrote to memory of 2120 2704 DllCommonsvc.exe 113 PID 2704 wrote to memory of 2120 2704 DllCommonsvc.exe 113 PID 2704 wrote to memory of 2120 2704 DllCommonsvc.exe 113 PID 2704 wrote to memory of 2732 2704 DllCommonsvc.exe 117 PID 2704 wrote to memory of 2732 2704 DllCommonsvc.exe 117 PID 2704 wrote to memory of 2732 2704 DllCommonsvc.exe 117 PID 2704 wrote to memory of 2624 2704 DllCommonsvc.exe 118 PID 2704 wrote to memory of 2624 2704 DllCommonsvc.exe 118 PID 2704 wrote to memory of 2624 2704 DllCommonsvc.exe 118 PID 2704 wrote to memory of 1632 2704 DllCommonsvc.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\es-ES\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OK5jF1T7T4.bat"5⤵PID:2440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2332
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"7⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:404
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"9⤵PID:1796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2684
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"11⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2388
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"13⤵PID:2096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1184
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"15⤵PID:2396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2684
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"17⤵PID:1244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2388
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"19⤵PID:924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2136
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"21⤵PID:1536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2936
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"23⤵PID:1836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2788
-
-
C:\Program Files\Windows Mail\en-US\cmd.exe"C:\Program Files\Windows Mail\en-US\cmd.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"25⤵PID:1556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\security\audit\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518554305f2557384b0d3e554a5469515
SHA19f255293d276df4c76dff094b46271ee181f6c34
SHA2567418e295a27811d570943d877c57c62852ee97637ca25aeb5286b744df72bc70
SHA512888b5397eb9a181a33b7eb94e1613d09ab55bde52ae09e157f9fde5666a716f57f8d8e4ba479eaee8946d63473640a772c84347a4188d59d8e030267ddedc9f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d7d3b62177343baff4e0be9aafcb63fa
SHA143f9847db92553bc9746e46bbfbd42dc6184f0f0
SHA256ed43d51fa64eda3d25708513a97222043a2af0fa4626deb719a02a78b4eb42bd
SHA5124bf4883075c847875aeda5216d18d9bf277035c7147bf1eb4ae2b6877bffa224505b2df5e2ea2b5994d6d77e9bc343814cea1252900aa3c7392af2687c485ee9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53cba80863b34eac92dd2ef96c4ca9b81
SHA1fb3fd67aaaff327492d8799b16cc7e569423453c
SHA256216f1aa193c8e27e0b917782d6d9b37f4f621661c9825d9d5976f4d289871daf
SHA5121133a2b035ea13d9da6fbc5f096bdaa7e5df405e2935dab14187db0134775d4775598d0358a85a7d1f18946ba5ba9333a834c57f2c64bf9557b8fb8793d36de4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1df6873fac43bd6723b1ffe33af9574
SHA1cf5cf565ab3c4333db7b0bd18e3d20a89c95882b
SHA256d46a40fb9e22bb7d580e488325e4da2d2716db8e60d2c6e32a32871339e46962
SHA512b7e07909cd4338d05074ed98756c104d14ddd4e2cc7328b0ebf269cff0053aa8d57d6b990c558764d481775e285e7873fa2539a459aa30aaccfea72739a1b137
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b5b15a49894a1e5a167fe1e2365a118
SHA1d8ac4aa6ac1c900b615d27365ead587f12bffca9
SHA256bb7e74bf360b920c5298a85366c347148e7e3b526a154f3f754d0b1a63fa1e65
SHA5125fcf7f5a3c1c17a96868b1cc6348cbf5ee8c91fbcfa259df8e47a699a70affd58a90a4c934e8375126a59e031ec194139d63341f0b4dd1ab585402217ea62334
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a2507a0a2e404ce6a1dd02b65468043
SHA136334318a67eeb74636972ed322e967f1e848203
SHA256afcf7074eecf0d5541fe5a2aa2511f9596ab2e668e29525cc8a65df0289dbbc6
SHA5122eeaa29628d765ad4b5a3df3588a439a61dfcd83101f3c7becf8d8562ce4880c673f11f06fd35a1c6f4f11d1334d76b26406adcd7fcd749e1151523f5d0e4da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53217e144b37963ca692d704ae6c9f82c
SHA1b5ef77c6cc77b8137ba46ce7c35426ee355c711e
SHA256e8a9493b98aa9a18d8af32f5ccc75f6c484c1bf2e6683eee89b2ea2a8009c470
SHA512bdaf004152667ace9b9bc3d41eeea3753d0fe39ef66009622750f2ab47e9be678744e819c5ace68f576afaed6de599b857ad59631aa0f50497549166c9a0abed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569235a57babd833765249a92a97a60e8
SHA1ab38b30405f76c10cfbaa875a7f0dfa4c829c53e
SHA256812678e554fa9f2180e66ea444e4843088e2809672247c53960583ead6423ea8
SHA5122fa84def2e9ad6fe03dffc029b0dc4489bbdb2f587560c707dd9ebec3455dcb86ef42a4929d32b03fbf3141bc9998f057abd390510da18ca2102be68bba01c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b130f89797289ea65472f07cce5cf70c
SHA10a7ea9ae3f65e69a2e34bf8ac0b7d9cb10160242
SHA2568e532b5b01759584308f37f8a54c4552b26e3ef8f814af627d7d97ad3aaa03cb
SHA51231211965f743958db4aed5479224085189f270652a51956f4b47044a7d00d0c5ec44ec6c6d848e56d03a10d0730031ec96417f3768f4ceed2ca852542ab4efe0
-
Filesize
208B
MD5fc5ec984b011a1b721ca6fd61b125195
SHA13bba8ac7c99799b122ce44afef30961cf230d023
SHA2567cdcb8fd9362a570adc07bf46dc57522c7085573d0ff434299ce805d7f15369e
SHA512da2501c1db1181d28cdc43abd964d26e1aa825868290aeb1901da8f2d1a59908ac90794b7a5f765a9227c6b18d6a5b4620b581e3e5696d690ac2c7c53c8f9b84
-
Filesize
208B
MD5e60ac9f13495890d28ba99ff7345f849
SHA1518b631cf749c0464ffea5869d8b6a1d475f33e5
SHA256ae50abebdbeb7f44bf4e6f135f3dc5fc54755e9f52fb787000d53fb5f4651297
SHA51215daeb56d25d895a3b2b514dbd7e723379b8db6c2b97fb892ec7a48ee5c6132068f5a441b645767bed511fc8b57b236df72b5067f2c4fa3d0565215715947d3d
-
Filesize
208B
MD58b54bdf6e5757d7023d983268294c9ff
SHA176586dcf6f77f47b3e49d070b2f3c561b65c1dd1
SHA2566eef8ab16ac24d9cbf0fcd518d8950a576f751f3e154e36dc45cbf876bc6271b
SHA5120d572377025f721f6c7979406e90062cb94c08ab24de7c51abc8ce27c3e9d0932c55910ef4bf4f5a737eef17c11cd6e1f2f2647fd3525a1e639caee21f2f2cad
-
Filesize
208B
MD53ead2a63504988e7097418209c7ad008
SHA1bbdebcaa9216491536961ec9edc3c3bf11b9133d
SHA25675d6e307b55f11347c543b2c5c403cc4a7bdc66ddd9061b04c69eec0886d820e
SHA5124eb8c8869d3c6fb9a5f6784af2daa59406d8bd42c1dc3bfc5cc8e3048ea8a5eadddefb3d8978b42d67a3782bba0ebb546657d32414fb807af6688631d090f6dc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
208B
MD5edcdc401ddab3fc4304afad1827733e8
SHA15a0aa0c1252df184f3d25d78f4e380b3b0e6c464
SHA256017b8cfbbe04364f9c8f934d6538b943cbcd29d8deea113269d0b2c74fd6b02e
SHA512f8ecc77ce1b62d6e91caa038b6585d98587f3b8669a69eefb359d556fcffa3dde046224d4db4224f5d345890016210125e377de16671dbc6e2df8399fd25c082
-
Filesize
208B
MD556daee89d3eeb9db095f419a928e974c
SHA1d03ab4216833d60747cca2866c8e0a7e64b619ad
SHA25647b1740becbf243e435338a6deb37c89839715cb575a493cf9f00a93aa25429d
SHA512f57bbdd67e4adcdb243d61ae54ad905129a27dee0fab3141b3547706d03ff4b1bd9d8335fbb8942f46fc9feeff3daa18e9dd16798016e8101ed53806d08b255d
-
Filesize
208B
MD5a2aa564f7c44b368d738e09bd909003b
SHA1b9d51418a1626c28af2087df357f70c05915562d
SHA256f9a41e7c3d881a17ec471612bc217d13c7fa34770d87a558bea491dfec517aad
SHA512a481cc95a1922c93f4891ec52453f533ee5935415a9919bb65a527452ec13331e254fe8877e3ac2c95ec80e269b222016a4e21aa287eb6acca95595767d26beb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
208B
MD5e33b23230a5431b21787b205ea262861
SHA1b03046668382e9bc14d8c66697bcf06381869516
SHA256b9233141c84320b3b0bf6823cbb2ae39f5a052facbf187350bccab1e6a35a9b2
SHA5120c65d8d9363cc0552eeb405cdb2ed331927b419e923ab97804210fe0d2a8d54547ca53cf92e7871d9069da2017d2ffb9ac63a5cad8ba3715a7f8a6d885be6ca0
-
Filesize
208B
MD5cc40e25d6f1f51dd4d479977fd2a7a38
SHA132ae18e3d970ea38bc1feac6e999e2aabc8c8a78
SHA25634a59ec08df19530d088e15db30e32e9739fa2c9ce9a266129aad71e54c934f9
SHA5125c5f408110a207eb224059975ba4d62d8e138a55fd8d2a078235414c0b5cdb083aa0abf44b51bdf5642034a06d6e48783ee6c78943168924e9b280d831e8e0db
-
Filesize
208B
MD5bebdafed872437edb01a5c633d6f3208
SHA16b49ea1ecf6b346ddfde3951b9047ce3ec833d49
SHA256de720a0c908cefc9cdfb965280061ce1b4a455244c0f04d186b27074ec61e6a1
SHA512bd1ac01c2cc1924b97cf2a6fc2fb230dd50f32401e5885feab960f7c01da8165a8396f68ec38057372dbc1c00c199388532c918edbbbc40da24af3e5a9711b33
-
Filesize
208B
MD57e8eef09ee565e14900dff5b2ca79be0
SHA177cbf76a1e309821d7b49dd5a93d7403b70063ce
SHA2569a9192479c473ee5519c12558040353a31534de00ddb73700db11684ec11202c
SHA512ca4b439d9ea6b07b9a3d35cf105e2668b6e7f5d61344ab1ff2938a0e8ef5cd95ccee301f1d2538c20dcb6331af945e74b66a2987b5ead2da150de081ef3a4fc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fbefcc7615a710396740676715163533
SHA108b36efaeb4c9d0f6ae6d4d7711fac97c1ac6410
SHA25650e6fddaf4e645a23d0d36d419382dfa66da919d3d2f995b5d21314146e078ba
SHA512a3374cc87c328b818227eb175f82ac916ae94acc25e9ae50438a6c3339360f931fa00c2253636b4ba8fde57a77850575affa150dc898c94b675047da0a2480d8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394