Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 03:07
Behavioral task
behavioral1
Sample
JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
-
Size
1.3MB
-
MD5
532642b7eec6ac7b2c884cf71186f6de
-
SHA1
38034ba7e0a1507debecb8e14b0e52c761176754
-
SHA256
5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96
-
SHA512
cc142edc962063699bd6a951bc1f3d6282eb98e05178a3a7eb4f00a37a776673389ad5c392abf6d70b99346e500abbd28ddf870505d969ea746f03f2ea076fe0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2216 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2216 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2216 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2216 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2216 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2216 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015da7-12.dat dcrat behavioral1/memory/2252-13-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/2008-45-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/1336-105-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/2124-285-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/1724-345-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2880-465-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2932-584-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/3036-644-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2752 powershell.exe 2800 powershell.exe 2364 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2252 DllCommonsvc.exe 2008 OSPPSVC.exe 1336 OSPPSVC.exe 2784 OSPPSVC.exe 2880 OSPPSVC.exe 2124 OSPPSVC.exe 1724 OSPPSVC.exe 2636 OSPPSVC.exe 2880 OSPPSVC.exe 1556 OSPPSVC.exe 2932 OSPPSVC.exe 3036 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 cmd.exe 2524 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 16 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe 2916 schtasks.exe 2744 schtasks.exe 2636 schtasks.exe 2684 schtasks.exe 2956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2252 DllCommonsvc.exe 2364 powershell.exe 2752 powershell.exe 2800 powershell.exe 2008 OSPPSVC.exe 1336 OSPPSVC.exe 2784 OSPPSVC.exe 2880 OSPPSVC.exe 2124 OSPPSVC.exe 1724 OSPPSVC.exe 2636 OSPPSVC.exe 2880 OSPPSVC.exe 1556 OSPPSVC.exe 2932 OSPPSVC.exe 3036 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2252 DllCommonsvc.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2008 OSPPSVC.exe Token: SeDebugPrivilege 1336 OSPPSVC.exe Token: SeDebugPrivilege 2784 OSPPSVC.exe Token: SeDebugPrivilege 2880 OSPPSVC.exe Token: SeDebugPrivilege 2124 OSPPSVC.exe Token: SeDebugPrivilege 1724 OSPPSVC.exe Token: SeDebugPrivilege 2636 OSPPSVC.exe Token: SeDebugPrivilege 2880 OSPPSVC.exe Token: SeDebugPrivilege 1556 OSPPSVC.exe Token: SeDebugPrivilege 2932 OSPPSVC.exe Token: SeDebugPrivilege 3036 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1804 2160 JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe 30 PID 2160 wrote to memory of 1804 2160 JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe 30 PID 2160 wrote to memory of 1804 2160 JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe 30 PID 2160 wrote to memory of 1804 2160 JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe 30 PID 1804 wrote to memory of 2524 1804 WScript.exe 31 PID 1804 wrote to memory of 2524 1804 WScript.exe 31 PID 1804 wrote to memory of 2524 1804 WScript.exe 31 PID 1804 wrote to memory of 2524 1804 WScript.exe 31 PID 2524 wrote to memory of 2252 2524 cmd.exe 33 PID 2524 wrote to memory of 2252 2524 cmd.exe 33 PID 2524 wrote to memory of 2252 2524 cmd.exe 33 PID 2524 wrote to memory of 2252 2524 cmd.exe 33 PID 2252 wrote to memory of 2752 2252 DllCommonsvc.exe 41 PID 2252 wrote to memory of 2752 2252 DllCommonsvc.exe 41 PID 2252 wrote to memory of 2752 2252 DllCommonsvc.exe 41 PID 2252 wrote to memory of 2800 2252 DllCommonsvc.exe 42 PID 2252 wrote to memory of 2800 2252 DllCommonsvc.exe 42 PID 2252 wrote to memory of 2800 2252 DllCommonsvc.exe 42 PID 2252 wrote to memory of 2364 2252 DllCommonsvc.exe 43 PID 2252 wrote to memory of 2364 2252 DllCommonsvc.exe 43 PID 2252 wrote to memory of 2364 2252 DllCommonsvc.exe 43 PID 2252 wrote to memory of 556 2252 DllCommonsvc.exe 47 PID 2252 wrote to memory of 556 2252 DllCommonsvc.exe 47 PID 2252 wrote to memory of 556 2252 DllCommonsvc.exe 47 PID 556 wrote to memory of 484 556 cmd.exe 49 PID 556 wrote to memory of 484 556 cmd.exe 49 PID 556 wrote to memory of 484 556 cmd.exe 49 PID 556 wrote to memory of 2008 556 cmd.exe 51 PID 556 wrote to memory of 2008 556 cmd.exe 51 PID 556 wrote to memory of 2008 556 cmd.exe 51 PID 2008 wrote to memory of 1544 2008 OSPPSVC.exe 52 PID 2008 wrote to memory of 1544 2008 OSPPSVC.exe 52 PID 2008 wrote to memory of 1544 2008 OSPPSVC.exe 52 PID 1544 wrote to memory of 2128 1544 cmd.exe 54 PID 1544 wrote to memory of 2128 1544 cmd.exe 54 PID 1544 wrote to memory of 2128 1544 cmd.exe 54 PID 1544 wrote to memory of 1336 1544 cmd.exe 55 PID 1544 wrote to memory of 1336 1544 cmd.exe 55 PID 1544 wrote to memory of 1336 1544 cmd.exe 55 PID 1336 wrote to memory of 2068 1336 OSPPSVC.exe 56 PID 1336 wrote to memory of 2068 1336 OSPPSVC.exe 56 PID 1336 wrote to memory of 2068 1336 OSPPSVC.exe 56 PID 2068 wrote to memory of 2332 2068 cmd.exe 58 PID 2068 wrote to memory of 2332 2068 cmd.exe 58 PID 2068 wrote to memory of 2332 2068 cmd.exe 58 PID 2068 wrote to memory of 2784 2068 cmd.exe 59 PID 2068 wrote to memory of 2784 2068 cmd.exe 59 PID 2068 wrote to memory of 2784 2068 cmd.exe 59 PID 2784 wrote to memory of 2840 2784 OSPPSVC.exe 60 PID 2784 wrote to memory of 2840 2784 OSPPSVC.exe 60 PID 2784 wrote to memory of 2840 2784 OSPPSVC.exe 60 PID 2840 wrote to memory of 1888 2840 cmd.exe 62 PID 2840 wrote to memory of 1888 2840 cmd.exe 62 PID 2840 wrote to memory of 1888 2840 cmd.exe 62 PID 2840 wrote to memory of 2880 2840 cmd.exe 63 PID 2840 wrote to memory of 2880 2840 cmd.exe 63 PID 2840 wrote to memory of 2880 2840 cmd.exe 63 PID 2880 wrote to memory of 1388 2880 OSPPSVC.exe 64 PID 2880 wrote to memory of 1388 2880 OSPPSVC.exe 64 PID 2880 wrote to memory of 1388 2880 OSPPSVC.exe 64 PID 1388 wrote to memory of 1900 1388 cmd.exe 66 PID 1388 wrote to memory of 1900 1388 cmd.exe 66 PID 1388 wrote to memory of 1900 1388 cmd.exe 66 PID 1388 wrote to memory of 2124 1388 cmd.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:484
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2128
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2332
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1888
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1900
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"15⤵PID:1704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1624
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"17⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:580
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"19⤵PID:536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:328
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"21⤵PID:388
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:3024
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"23⤵PID:1060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1180
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"25⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2220
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc22a34c8f46ce6f483bce8c8e239419
SHA12d6a216f69818d91eafb2139c485d34715778357
SHA25636b53cb2b1a0b1ec19b2f3ab7576e772ad3a3175d677d5656167966de8391128
SHA5120a6ac88237a9dd443a04e652d56d75ae9baaf59461f4ce69781d426bca1fbbccc0765963b3229a67cece39c2db161a5a4878eb3adca9dc985c159f16e44668d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f5c3c561853f491e84c9dcb6d32e4ee
SHA1d959807ae6d847857c709ca9b62e8f83c717e768
SHA2564c922a66d3b3414de8b3cb7da99869044f5434c86ca9e18bb3b65eb0e17ec6e1
SHA512295f523b95f00a00fff2cdc883c1cb29059c70981b8e8c5a0a0e2fb3b4b1d5c85652441efe8e6b3f8a39d158dfa4f1fafc1bb757567d6add1113e659887d9d8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a63635a8007a47c4c704880b7cfe68c4
SHA112335c08fe3d908e07b61ddba1ab82135adcc250
SHA256b861a75cfa0effd1de796e5cfc6bb5bed75bad2fcfa128b16f1da55e60b449c0
SHA5123e226d2342a5d243f720897a95aa15d5d49824cbf5082353df8200c176f889f543f77d33a58594819ce5684c0e14795cff61fa1212150e2caaab924575b977df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561be2bcf8c6c236f575ec14b1c9d6759
SHA10cee51787e2fbfb04655208a7ebe3665553c5ca7
SHA2568944a929f9800e47b35471a58945328c1f28a8371cea043e895fb05272b5f489
SHA512dc52a39fd55fef0e5ff6b05a2852de905bf2ba613c9a26e07d4a401596fb6622bfdac651f5de0938b8a7aa8e17a4bb97ec8994c5862fea400c84256456416c34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56412d9bddf043406e1f207e8d89758bb
SHA1cfa1786080e1395559cda71546207b33a4a4bfd6
SHA256d02017a82ebb2a4a002e293336a9d17415daf0d3bb3437ba96a6481ba8885142
SHA512b989e5b86b1ce6dbb1cdf8a1e50d1033d843a0e605a20ea25f14f7a45c47ba955bb69ce9823dfbb6424ec1e926a931fa15ec8ecbc4a3bbda7301c8a7a6635ecc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cb65b8c5f9df311bb3bcc86f1c66633
SHA1a5b2aadd8f9d5ab36dfa7f41560ddf7ceabe3a3e
SHA256293bcb96fa161f15fe6330f0ec82a3b34a96447da19907b70394d8c11e6c83a7
SHA512e8cd9406038025bd260a08cc0a0de0fd9fca638a252e91952308aca21a2034fab7590d285b84e04c0708422ca3095231fbcf0aab6f4e316c40b48d6a8b3d9b83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2dfcbe2a839958ec8cd7c093158a9da
SHA1e510b955bf8e6e3da34ecea9f5fe6e3bf28442f0
SHA2560c5125639de721f85871c6d1a3ecac00eac88bc50cc7248a7be13b87a7f3616a
SHA512e382389f96b26c0a06871e3f7b36e1a2e9d08a7b051c11cd9197190b589bbdc18f93eb2cc46b6fab0df8e04d008759cadcd1183a3be3d45ab8723c7b483710b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576d39716d5b99fc3632b251ef813033f
SHA1e693b84cf1f077cee46ac21860340d1ac3516ca3
SHA256c4913cf55fe3a2be7b8f5cf7cc595f9ac5b497f301b60c24a124a1df94145252
SHA5125656d17682dd4a3fd1a8adeb5eaf10d7ef9307a4ccac616c22228e401fbc5a75aa0e314687fc2138006cb002ab4ba856feba0bf09fa29d626a0f687888e4506a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5578dd5874f468cd4b00f513a7c685f49
SHA147a4e2b6254a4ad55214b27cb4f5f37965adfdc1
SHA2569da5f33e3a0d0d6999347d00a17d3311462515350590dd5b400d92e759b25ecb
SHA5121d2b6aed69c2c12cf2e409f72d65b300968b84f744674293e73f2da28e3bef5cc2c370048e6f21b4e861f239df20e6b100ff73b99335f66fb631db2514daf815
-
Filesize
225B
MD54c27121cb0caa5ea3029fbf31c6e5a52
SHA1b517996795c45ada4b3b522339939b34b15795c5
SHA25623a979b1ad49935af6ea846a2bcc0e7e5298ced4d4847d66cfd9bfa3732e2169
SHA512d85c5d4fd898a03f08ebe22173cdeeccf1f025f2a4c43a7d6944569df6b699bf2211907bf0d94ff29b7687b9df25555c2d0eaba43015850c034e327484cc78d8
-
Filesize
225B
MD5788c6bb0879a7e62266176335e4dc195
SHA122e1eb78fa4fe75714f6e620f7185d4c68e2ee75
SHA2563df4e88314c06268066426c38d41e666fad68479c6f599084b7b53a180861820
SHA51206f86977bcc7a7a482ded8fa8e5f7586c31e3d41b14e8b8ec0d706b87a9fe34e86881a29e573aeb66ef35e854a187856a36bebb9791aff7bd5a19b9c06820e7f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD56e5b07e2550471b9175d749d4f390ff3
SHA15e2ad6d102ad205867e6d9894ffe95eff7f6e849
SHA256f3df282785596a4a8e1300fca38a2dd66cff606729a493974623985e73bc5370
SHA5120ab8d6d34afb574d3c5113a6f8a0c009e847ea3e0da378b2fe0b4215b3cd468e614bcec6cb774f5978ce9afd4d4d86cf51754c1243be45dac4eb30fa4eae978d
-
Filesize
225B
MD5c870598d894ea92503ed1752bc419bc3
SHA1be2d161a25011d2253b8b8262b6980bbf090db5f
SHA256f57f3afa31017cd2a9b73e055a0a77c4983af2a69accabaac5dbdd6afd7c46b8
SHA512ab334a0e47a93362a484262f9138d68cad53f1d6e9144b15a248821372d52e3802eabe8651ce12076cfa6ffeb439288d02ca9fd54f03383cfeabeb892fb62f8a
-
Filesize
225B
MD5557e1a2457ff1fb1933712b73d7451ef
SHA15aba2e32afefb12ebd86a8e0fce777a99c5a17cf
SHA256f1986bc5a006d39a4b0f3e89b7350be9692115a300acae2a09d3427f398a2bad
SHA512485b53e7c9edebaf22597587c31bcb6cd8b910d01a77b6eecc6e1895be815fb80bcbc5ded4289789fa6068b2f6888ea9f515950977c95c47b827c9180e89b2af
-
Filesize
225B
MD529f69db02a5bccb51faeed8041aa8c26
SHA123f58b3fc0921d537656c61c7464f007ccb06e6c
SHA256c0f6469e21570398b8f95b92a25858ff6640ffe128a7d532fee328714c243655
SHA512581fa47ec160743855d5c4fca6a1c9d26a83bbe84f54147f89e8942b71ca95b9d11b1953b5316f0eefffa9cb4f4614ccd92bef8e86f718c2b5b90c1dd8db57af
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD50d54ecb9a2170b1332d87a520ffe2e12
SHA18439913492277f8317ca3871b273c8f6b617d9d2
SHA256f03595ce76607c120c2abd52006395df6b442f097e6e50b4cef013cb15d3e06c
SHA5123344d6f28f851e5c1e33a2faac5487c6d3e39c48aed15e6094db0c9ca7f97994bc924bdb3d323c1be8a1b1fe3723a46ed374925f4f70dacfa6b7ed39a9904ec8
-
Filesize
225B
MD5a158d815bdbb9831a9c0d778b8435c08
SHA10d637aea4557e197445a549e63a22428d6e7b524
SHA2560b0252276665f1f83182223edaecf65e26638863167e16cc6147108bc7daaa9f
SHA5124980fd65e51d6e32260633efbb6032a17e631be082fce2b97d003e1d0a8c0dacef58e8d770d04c9cb295280cb5df661f1afec98c0d02f91ccd74f7cbb957886e
-
Filesize
225B
MD5ffd1e98b7981cfe9b00cc3657efecafa
SHA166a2193560a550276ffe3a841fe19dca5e085899
SHA256ff24fdbc5e06b2a76faca3bb1e4b5048907a2f0cb4fb2c69c035fd69cec532c1
SHA51207fb1ede97cc1f0e3ee80dae4406837d5b836e8c2ac2aafd58bf869cf7bfb3c4941505b7fca05a27f2a4f45e19caa521422e18a9174e3ea3bbafafb292e066fc
-
Filesize
225B
MD59902d6f8440f041641ab1eda768befd3
SHA18f3e5e12f332aa9337e9cc486b47003d6dfaa630
SHA256ed18e15d4aad75d19955b904d22d53ff41e42720c62c22b00b19464275b944d1
SHA512ec8f52724b631790cca756ddb664e56ac2d0ac59a725fa66d055301fb826765d2d8f7c8f2f3bbcf985258dca3c2f1b0a2d00d28c588e35bde3ab59a6a76b0be6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bae6441d68dfda58c8dc9e6863f51cc8
SHA1ff9562df4544a170af78f36ce9d7b766d28476f1
SHA256cb6ae89a0b8658540bbc6ae277bc6b00da9b363449cf333ecbeee3a128b08862
SHA51259c10c6ab9289d38aa32610cee2fab68981bef5836396dd7e284f50a4173e032e45830ddcbde5760102161c2d8934a70130852b059f967b36a5ff1f6923f7b40
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478