Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:41
Behavioral task
behavioral1
Sample
JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
-
Size
1.3MB
-
MD5
d56ce03b4b90817dd9b3146e7ad21e32
-
SHA1
bdcf7fb63bf4a57487fce8daee047c0ae3495c4e
-
SHA256
0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598
-
SHA512
376c62ffebec37af68258c3f349b610a46a890bdbb758bf5b4a40d20f958a9ca022fdaff708438dba8772c700e2f0cb5eecf492e46f2167c1d84cbdb067714e5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2724 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2724 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016c58-9.dat dcrat behavioral1/memory/2896-13-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2432-58-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/2068-118-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2600-533-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/1668-594-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1180 powershell.exe 1896 powershell.exe 1624 powershell.exe 1644 powershell.exe 1708 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2896 DllCommonsvc.exe 2432 csrss.exe 2068 csrss.exe 2800 csrss.exe 1692 csrss.exe 1568 csrss.exe 2292 csrss.exe 2952 csrss.exe 2280 csrss.exe 2600 csrss.exe 1668 csrss.exe 2784 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 1988 cmd.exe 1988 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 37 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 33 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\csrss.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Google\Chrome\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Program Files\Google\Chrome\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe 2172 schtasks.exe 1596 schtasks.exe 1348 schtasks.exe 2996 schtasks.exe 2916 schtasks.exe 2728 schtasks.exe 2020 schtasks.exe 2128 schtasks.exe 2744 schtasks.exe 1984 schtasks.exe 2008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2896 DllCommonsvc.exe 1644 powershell.exe 1180 powershell.exe 1896 powershell.exe 1624 powershell.exe 1708 powershell.exe 2432 csrss.exe 2068 csrss.exe 2800 csrss.exe 1692 csrss.exe 1568 csrss.exe 2292 csrss.exe 2952 csrss.exe 2280 csrss.exe 2600 csrss.exe 1668 csrss.exe 2784 csrss.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2896 DllCommonsvc.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 2432 csrss.exe Token: SeDebugPrivilege 2068 csrss.exe Token: SeDebugPrivilege 2800 csrss.exe Token: SeDebugPrivilege 1692 csrss.exe Token: SeDebugPrivilege 1568 csrss.exe Token: SeDebugPrivilege 2292 csrss.exe Token: SeDebugPrivilege 2952 csrss.exe Token: SeDebugPrivilege 2280 csrss.exe Token: SeDebugPrivilege 2600 csrss.exe Token: SeDebugPrivilege 1668 csrss.exe Token: SeDebugPrivilege 2784 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2552 2408 JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe 31 PID 2408 wrote to memory of 2552 2408 JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe 31 PID 2408 wrote to memory of 2552 2408 JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe 31 PID 2408 wrote to memory of 2552 2408 JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe 31 PID 2552 wrote to memory of 1988 2552 WScript.exe 32 PID 2552 wrote to memory of 1988 2552 WScript.exe 32 PID 2552 wrote to memory of 1988 2552 WScript.exe 32 PID 2552 wrote to memory of 1988 2552 WScript.exe 32 PID 1988 wrote to memory of 2896 1988 cmd.exe 34 PID 1988 wrote to memory of 2896 1988 cmd.exe 34 PID 1988 wrote to memory of 2896 1988 cmd.exe 34 PID 1988 wrote to memory of 2896 1988 cmd.exe 34 PID 2896 wrote to memory of 1180 2896 DllCommonsvc.exe 48 PID 2896 wrote to memory of 1180 2896 DllCommonsvc.exe 48 PID 2896 wrote to memory of 1180 2896 DllCommonsvc.exe 48 PID 2896 wrote to memory of 1644 2896 DllCommonsvc.exe 49 PID 2896 wrote to memory of 1644 2896 DllCommonsvc.exe 49 PID 2896 wrote to memory of 1644 2896 DllCommonsvc.exe 49 PID 2896 wrote to memory of 1624 2896 DllCommonsvc.exe 50 PID 2896 wrote to memory of 1624 2896 DllCommonsvc.exe 50 PID 2896 wrote to memory of 1624 2896 DllCommonsvc.exe 50 PID 2896 wrote to memory of 1896 2896 DllCommonsvc.exe 51 PID 2896 wrote to memory of 1896 2896 DllCommonsvc.exe 51 PID 2896 wrote to memory of 1896 2896 DllCommonsvc.exe 51 PID 2896 wrote to memory of 1708 2896 DllCommonsvc.exe 53 PID 2896 wrote to memory of 1708 2896 DllCommonsvc.exe 53 PID 2896 wrote to memory of 1708 2896 DllCommonsvc.exe 53 PID 2896 wrote to memory of 2432 2896 DllCommonsvc.exe 58 PID 2896 wrote to memory of 2432 2896 DllCommonsvc.exe 58 PID 2896 wrote to memory of 2432 2896 DllCommonsvc.exe 58 PID 2432 wrote to memory of 2452 2432 csrss.exe 59 PID 2432 wrote to memory of 2452 2432 csrss.exe 59 PID 2432 wrote to memory of 2452 2432 csrss.exe 59 PID 2452 wrote to memory of 764 2452 cmd.exe 61 PID 2452 wrote to memory of 764 2452 cmd.exe 61 PID 2452 wrote to memory of 764 2452 cmd.exe 61 PID 2452 wrote to memory of 2068 2452 cmd.exe 62 PID 2452 wrote to memory of 2068 2452 cmd.exe 62 PID 2452 wrote to memory of 2068 2452 cmd.exe 62 PID 2068 wrote to memory of 944 2068 csrss.exe 63 PID 2068 wrote to memory of 944 2068 csrss.exe 63 PID 2068 wrote to memory of 944 2068 csrss.exe 63 PID 944 wrote to memory of 2156 944 cmd.exe 65 PID 944 wrote to memory of 2156 944 cmd.exe 65 PID 944 wrote to memory of 2156 944 cmd.exe 65 PID 944 wrote to memory of 2800 944 cmd.exe 66 PID 944 wrote to memory of 2800 944 cmd.exe 66 PID 944 wrote to memory of 2800 944 cmd.exe 66 PID 2800 wrote to memory of 1540 2800 csrss.exe 67 PID 2800 wrote to memory of 1540 2800 csrss.exe 67 PID 2800 wrote to memory of 1540 2800 csrss.exe 67 PID 1540 wrote to memory of 348 1540 cmd.exe 69 PID 1540 wrote to memory of 348 1540 cmd.exe 69 PID 1540 wrote to memory of 348 1540 cmd.exe 69 PID 1540 wrote to memory of 1692 1540 cmd.exe 70 PID 1540 wrote to memory of 1692 1540 cmd.exe 70 PID 1540 wrote to memory of 1692 1540 cmd.exe 70 PID 1692 wrote to memory of 1720 1692 csrss.exe 71 PID 1692 wrote to memory of 1720 1692 csrss.exe 71 PID 1692 wrote to memory of 1720 1692 csrss.exe 71 PID 1720 wrote to memory of 2300 1720 cmd.exe 73 PID 1720 wrote to memory of 2300 1720 cmd.exe 73 PID 1720 wrote to memory of 2300 1720 cmd.exe 73 PID 1720 wrote to memory of 1568 1720 cmd.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:764
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2156
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:348
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2300
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"14⤵PID:2872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1728
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"16⤵PID:1536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1928
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"18⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1352
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"20⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2856
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"22⤵PID:3040
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2128
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"24⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2468
-
-
C:\Program Files\MSBuild\Microsoft\csrss.exe"C:\Program Files\MSBuild\Microsoft\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4b53eecfda2ca7fb18302a73d015c0e
SHA1c2033f0da684aa2a197a8c84e7af0690a2771aea
SHA256257af08f650f7f551cc1c87a0ca674923151835ff34bdf83d61a863772b64cb1
SHA512f2fa5d0a771548abe5a8f4f65063a9a4668cfd17377365643d764b0978f60e1a1b582c5fa5b36ad12b0687042283c3140d0b57632ca40f95c48301f4a8b83f6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b34745b34d0fb50516a88d85a2dc8fa
SHA140ba3ae4cf89befc09378f44ad3e378532e46e7f
SHA256b9b213d022d1d6651e2f6cd8f90f2cc499f9201d012fb7679b00c816a65d9bf3
SHA51242d2fa25e6362f4e648e5b6dbb20d99b74295775bc016d2efa02a7fcf60c3ac4b72fcd4d8f4c07b974d98e4baf09718f8b568dbd074b9e10d2d3d1560d4249da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD520643d296a3abd703475b77e3acec5ec
SHA188072f03432820c21cef8ab71772dd402b8eb229
SHA2562cc38c4001238e2ac855da28ca82a7328298c8cd2d02c4d2c5a429091703a9e3
SHA5121237538b2543f0ba1b0f73099e9b6057c9e523621fe6aa4f0bd490a400503bece8cf979913bf20a621e9ecb5268ce46aec3fda82c51aa59fa12f5fb6c8a7fe1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5190da28354a14106eef46388f445cc6a
SHA183b05041784b71bb2c0c58d42c67068a0296a700
SHA2566a1f54940bc40468a2069390d5456a9657a3afbb04ada70792362b02df1abc4f
SHA512eb697a805b165c080b914c98671d5daf265e3694f0979d45a12b884d8c49cba6cdcdc1a5bad3bf14d249a580dd3b26d57a2675adbd07e9c1b06eda47aadab40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e2684512959ad8dbfa9ba8fb66ea26a
SHA12f481285af7ef8b4027cf5326fc73ce6c954b417
SHA2564db812543233656cd296109f0ffb1e6158a403ada440ab9bc43b214ca9efcc2d
SHA5125acd5a0dab0f32256b11c118efbd1ed312db1e12d3c4be1d83b7b305d49fcc907b96d2dd24342646e77169e391dceefb1829cea2c7a1891203f9ed499a945638
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1afd9be066b42461ff0e8209e61ca82
SHA1599ba965f6a72a64c1ecabf2e52704ac9d250fc9
SHA256d4b8dda38e024d7f3a3694a4b5b4f15f6572a7a87dec34061a1f3eacfffbcdb4
SHA5123d631e60d959ed6031b7c7823ff53b75f811b1b9867d448437d181c45077e492921f7f76bd9f89c7a5dddf5f021d2f96cea11121f0ffc09da03505bde9e352a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538c0285d0a253f6a02efd1e07b461e13
SHA19adfc3649807f99f0a31ceb256e9e7edbd59e8b2
SHA256382fad704fd2e07f988cafe2a33feec2b20b90c4170ad6609a199b8145426f70
SHA512c406f8c20cc69a29bf1bcc9763ca0550bf165acc7873be4c9dc94a9615f8416241348f298213e37dab3e337591018f7beaabe6da02e226f5bd82578aaaace4e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa70e16b5386efd8c712c8c8c22880c2
SHA1986eec7dac757ffa05cb191c73184c42e0120fb4
SHA25600af822507b4d607acdfb6d395de7df5725a60272521d248c43818e8b2f24bfe
SHA512611cf65b20b9af13a098f951c8e4700f9dc6b59e65c979c502fa328aab931be03d17aa38ed7bc31a216b0e4d3d569495ae440780a453c5418f6b25fcc9f37425
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c70aa56d0ca3995ad9b2ac2ed3df388
SHA1bf62e17fa6f10805ba7bd4a722f8a8c7e57abd44
SHA256f49b8d5c22bab134387ef794a66d72d2a4656aac5d40c66d62dfd99d73a7dd4f
SHA5124052e08355a995c949aba1c15c8173bd5a457317528bdba6534a431a96f09ea1a8cd164529ffafd5c048e83919f0aa37b2686fe8566a1d831ed9243838f7041c
-
Filesize
209B
MD51e70046fbce9fe0ef5030be1e8820b4f
SHA111db1394af91fabc2e31fb4acde16369c4e1a35f
SHA25618ec7263794ab34cfc6354140ed41b8799b10a2603f1a6d63723cb4a74bc1e68
SHA512e00742d751f3b48b43ee78d40ebf0e073665c6973f3c54f091a9332d38d720ad4b33a8db6c9a9d0a5cb41d0db25689a6c4b0191dbf2de131ca443ce99a73d386
-
Filesize
209B
MD502f932ce7e126d283982434200b3d0c5
SHA185f1d2f6582c64f5131be8a9e96b824cd4b8d7ac
SHA2569ae0a8ee18ba9bd7af78c8d86df0e23a1f707a2f617f950759937f505ab348ac
SHA51298a32de94893418f5574a581e4351495461a8cc1b5ac6505b28a9f3d7a06d95e4d80b90e012a7c0aabd34fc356155460eff6b90f0bc1981e44b5996396aaffaf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
209B
MD5264e0de8b2dd5b19df3d8a8ff5df030a
SHA12937505c94fa9e4eed221fedc7c670a55480e30e
SHA25698dea75e8d22b8f87840e874680c13555fdfcd5ac301411630fc871e3de5715c
SHA5123d377dfd5f28e48fffe51f9e84931bdf4cf0b2a8703614b893bbcf3bfd65ec80ac74a6b1c3b19e0578d471bbafc52b12c468a118ce0239f381d75c4ad655c2ae
-
Filesize
209B
MD548171886fb1beba5aa2da88471d71fcb
SHA1cdb704d91af34f2fe42b83aab93c03c45493d0f5
SHA256051f575e0a263e1e68be35a7e49d2a9dd497313771c3ef770ec27d34c3df8a80
SHA512d60693042e1bf709932cb802c0c452d81b7012b6e279ccda8bf7eeb53d30ea37d1e54f151ac4e6fcebaa7b045a8937ff60149b918b4ab357fdc3a7a23778a065
-
Filesize
209B
MD54ea2b8e7f7e3d1456726825edae95c2e
SHA1a1a32966da5b7845a9b0502805c0b09120036d38
SHA256c9918226edc0d67428642aa657d8d3f18cf0f76cfb32d63a46fbc551f1389689
SHA5127b9193270ab942d645566e882edef5f9d2f10bba3e8684067c6fbf95745b892a3e4e2d227ec4511b77447dd9c0c411b3e1a06add0a2c0e84a8081931af7151c9
-
Filesize
209B
MD54d776d35f1cb5c082087b3f07918fb79
SHA11ca5b7dfba26390d3fc92616f479c2c8fb30eea8
SHA2569290fa1836b3c65d7521e7b652864aea7e2a95aea45b04b17a80a0ab35cfc0ad
SHA512df3b787842a5ff7a0bfcb39d1de20f719066fa0948c38aaeb1ca744edfe7e333f703982785114c8abc6f8bcf9b144109f8a2587e5c43428cc5d1067bfbd16bb4
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
209B
MD57a3a5502acf6af616f1f930fe25a9441
SHA12e4b0a65fd7eb24e9ad361782bbfacc15951a6f6
SHA2563c65fb06810fc30fa612acb3c60147c86068f75e3b6d8223e46651d76252c509
SHA51294e1ed87e8d57ff7539fe94f9a75872f497b5cafd0123d418c74c8ab84777179a5fb8fdafe356199cd7d937ae172913112619e4a77d25686d132a4a2050c1940
-
Filesize
209B
MD58f39679d791826dad83910be1deabd71
SHA103a4163c51d214dcd8eaa10522f00859796ecc4b
SHA25605d39808aa6e7c6b142931f19623ae79e88bff7c57c8f2c526518b5d75df3d5c
SHA512ead369882cb791b61520fa7d73d2a3b43071a0c68c80666740c19b148aef1920864406c0772b1a65d52f6d330c850428d57671e92b792e11c75694a25b80aa72
-
Filesize
209B
MD5d90c8eeb0df0ee91a07f2276d22a9e0f
SHA1c08535ca5461db10c1472fe6fea3810d7d981a9d
SHA256c54ecfc10a1cfc76c48e2fe1b4b9ae808c692574dfb50fd7cc55ea914cc218f5
SHA5123b607d86ed186eaaf5d23652d94746bf9d5145b982035de76ebc72d3236f6a491d7d602b375e6a481b8f38f5725b38213be8579c03d19b588469e8ad56ce9eb7
-
Filesize
209B
MD5c87605716b3604f5cddfda150437d10f
SHA1c70a1a8dc8e1b1929cb81748cc9634565a6e2fa0
SHA25617a02031d96bf671d2c979b8529f7c6228394124ce68448c9b5ad3c432d77825
SHA5121ce363d3716a10fbdf0431b6544f1104c22361ac962177b3ccd1a95a0c76e1660673864b3f5fb1af11cb0b55baac3014094e1859718fe6f2a99a203a3b896839
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JE0YFJX1IMUMR6BOFCY7.temp
Filesize7KB
MD58620a1a5ac537434304cc8c7119e5ad1
SHA158a0177b861cec304557e93a8a3a82ea06410a93
SHA25687e8a48439079e3003f3fadbd101b06d480b55dc3d7a293d0d5e121426396e64
SHA51239e553ba557fbec09b8c5070b0a290085fd5301ea0c82ea53c9a1a79b2bfe99016a2cc59e6a90876f82d3dec562dc58a9ac62713d2742781e382084022bdf7bd
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394