Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:18
Behavioral task
behavioral1
Sample
JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe
-
Size
1.3MB
-
MD5
299c7c03abcf15471356b945392a5089
-
SHA1
9458e5826cd7a493bf10e919b956bfcfb6454288
-
SHA256
f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483
-
SHA512
51e7ccd1b7fbfd343f19a5c6ca79c228941bad697b5aed83e73fd3b2b515e2fcd233906141cb63980781d183bd1e7e0073c7633279a3dc55c026382c885aa0b3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2712 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2712 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x0002000000018334-11.dat dcrat behavioral1/memory/2136-13-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2272-43-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat behavioral1/memory/1876-115-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2488-352-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/2268-412-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/3060-472-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/700-532-0x0000000000AB0000-0x0000000000BC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2300 powershell.exe 2228 powershell.exe 1692 powershell.exe 2176 powershell.exe 2892 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2136 DllCommonsvc.exe 2272 OSPPSVC.exe 1876 OSPPSVC.exe 1396 OSPPSVC.exe 2440 OSPPSVC.exe 2692 OSPPSVC.exe 2488 OSPPSVC.exe 2268 OSPPSVC.exe 3060 OSPPSVC.exe 700 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2724 cmd.exe 2724 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 5 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Google\Update\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\1610b97d3ab4a7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2964 schtasks.exe 3068 schtasks.exe 2248 schtasks.exe 872 schtasks.exe 1736 schtasks.exe 2532 schtasks.exe 2312 schtasks.exe 2956 schtasks.exe 2884 schtasks.exe 2600 schtasks.exe 2936 schtasks.exe 432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2136 DllCommonsvc.exe 2300 powershell.exe 1692 powershell.exe 2228 powershell.exe 2176 powershell.exe 2892 powershell.exe 2272 OSPPSVC.exe 1876 OSPPSVC.exe 1396 OSPPSVC.exe 2440 OSPPSVC.exe 2692 OSPPSVC.exe 2488 OSPPSVC.exe 2268 OSPPSVC.exe 3060 OSPPSVC.exe 700 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2136 DllCommonsvc.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2272 OSPPSVC.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1876 OSPPSVC.exe Token: SeDebugPrivilege 1396 OSPPSVC.exe Token: SeDebugPrivilege 2440 OSPPSVC.exe Token: SeDebugPrivilege 2692 OSPPSVC.exe Token: SeDebugPrivilege 2488 OSPPSVC.exe Token: SeDebugPrivilege 2268 OSPPSVC.exe Token: SeDebugPrivilege 3060 OSPPSVC.exe Token: SeDebugPrivilege 700 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2864 2220 JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe 29 PID 2220 wrote to memory of 2864 2220 JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe 29 PID 2220 wrote to memory of 2864 2220 JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe 29 PID 2220 wrote to memory of 2864 2220 JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe 29 PID 2864 wrote to memory of 2724 2864 WScript.exe 30 PID 2864 wrote to memory of 2724 2864 WScript.exe 30 PID 2864 wrote to memory of 2724 2864 WScript.exe 30 PID 2864 wrote to memory of 2724 2864 WScript.exe 30 PID 2724 wrote to memory of 2136 2724 cmd.exe 32 PID 2724 wrote to memory of 2136 2724 cmd.exe 32 PID 2724 wrote to memory of 2136 2724 cmd.exe 32 PID 2724 wrote to memory of 2136 2724 cmd.exe 32 PID 2136 wrote to memory of 2176 2136 DllCommonsvc.exe 46 PID 2136 wrote to memory of 2176 2136 DllCommonsvc.exe 46 PID 2136 wrote to memory of 2176 2136 DllCommonsvc.exe 46 PID 2136 wrote to memory of 1692 2136 DllCommonsvc.exe 47 PID 2136 wrote to memory of 1692 2136 DllCommonsvc.exe 47 PID 2136 wrote to memory of 1692 2136 DllCommonsvc.exe 47 PID 2136 wrote to memory of 2892 2136 DllCommonsvc.exe 48 PID 2136 wrote to memory of 2892 2136 DllCommonsvc.exe 48 PID 2136 wrote to memory of 2892 2136 DllCommonsvc.exe 48 PID 2136 wrote to memory of 2300 2136 DllCommonsvc.exe 49 PID 2136 wrote to memory of 2300 2136 DllCommonsvc.exe 49 PID 2136 wrote to memory of 2300 2136 DllCommonsvc.exe 49 PID 2136 wrote to memory of 2228 2136 DllCommonsvc.exe 50 PID 2136 wrote to memory of 2228 2136 DllCommonsvc.exe 50 PID 2136 wrote to memory of 2228 2136 DllCommonsvc.exe 50 PID 2136 wrote to memory of 2272 2136 DllCommonsvc.exe 56 PID 2136 wrote to memory of 2272 2136 DllCommonsvc.exe 56 PID 2136 wrote to memory of 2272 2136 DllCommonsvc.exe 56 PID 2272 wrote to memory of 2152 2272 OSPPSVC.exe 57 PID 2272 wrote to memory of 2152 2272 OSPPSVC.exe 57 PID 2272 wrote to memory of 2152 2272 OSPPSVC.exe 57 PID 2152 wrote to memory of 1724 2152 cmd.exe 59 PID 2152 wrote to memory of 1724 2152 cmd.exe 59 PID 2152 wrote to memory of 1724 2152 cmd.exe 59 PID 2152 wrote to memory of 1876 2152 cmd.exe 60 PID 2152 wrote to memory of 1876 2152 cmd.exe 60 PID 2152 wrote to memory of 1876 2152 cmd.exe 60 PID 1876 wrote to memory of 2508 1876 OSPPSVC.exe 61 PID 1876 wrote to memory of 2508 1876 OSPPSVC.exe 61 PID 1876 wrote to memory of 2508 1876 OSPPSVC.exe 61 PID 2508 wrote to memory of 836 2508 cmd.exe 63 PID 2508 wrote to memory of 836 2508 cmd.exe 63 PID 2508 wrote to memory of 836 2508 cmd.exe 63 PID 2508 wrote to memory of 1396 2508 cmd.exe 64 PID 2508 wrote to memory of 1396 2508 cmd.exe 64 PID 2508 wrote to memory of 1396 2508 cmd.exe 64 PID 1396 wrote to memory of 1920 1396 OSPPSVC.exe 65 PID 1396 wrote to memory of 1920 1396 OSPPSVC.exe 65 PID 1396 wrote to memory of 1920 1396 OSPPSVC.exe 65 PID 1920 wrote to memory of 2228 1920 cmd.exe 67 PID 1920 wrote to memory of 2228 1920 cmd.exe 67 PID 1920 wrote to memory of 2228 1920 cmd.exe 67 PID 1920 wrote to memory of 2440 1920 cmd.exe 68 PID 1920 wrote to memory of 2440 1920 cmd.exe 68 PID 1920 wrote to memory of 2440 1920 cmd.exe 68 PID 2440 wrote to memory of 2400 2440 OSPPSVC.exe 69 PID 2440 wrote to memory of 2400 2440 OSPPSVC.exe 69 PID 2440 wrote to memory of 2400 2440 OSPPSVC.exe 69 PID 2400 wrote to memory of 1644 2400 cmd.exe 71 PID 2400 wrote to memory of 1644 2400 cmd.exe 71 PID 2400 wrote to memory of 1644 2400 cmd.exe 71 PID 2400 wrote to memory of 2692 2400 cmd.exe 72 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b7fb9a020e75a8afbc5f795e521b0fa245552b0c0bcf333391b6d6fefab483.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1724
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:836
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2228
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1644
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"14⤵PID:2924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1952
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"16⤵PID:1028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1956
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"18⤵PID:808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2956
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"20⤵PID:2620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2928
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"22⤵PID:528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc4d2682af7fc9565baf50d4c520b43b
SHA1ab5950b337b5fa30566475df4090bf83a996c635
SHA2563862aeaf9c524751c4560dab20e28fc1d245d3e0ea13a4b6d13542dd369ca8ad
SHA5129f31664c516fcdc82862ca11855a592869eac4ecd1f000997815195d2831a80dcc1c407c5deb9f29e6ddbe66e2f8de45b093248b40a28ef2c848cd6ce8c8aca0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5593fd667a1bac51ce64d44250a06e12b
SHA16bd3f088f401d5713826235f50b4bc5e791a6c28
SHA2567ed359f23348b0df1016add192cb22cb780845ef803634d5403a34fec8cb5bc3
SHA512dd3dbda80aebf43d9b53d1a0a32dd51d7cd7e37811a83a290a72b24d38d85cd7dbb905296f717413ca79b36cd57a2f517fef096d17c13fca079af9ceb2ec4a5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518c8ebf0186010800ad82ddd82b4492a
SHA1d7cdebcb7db5a0f84eb1e1202c8d786d47c59f63
SHA2563f4773b5d6019213873ebae3373c15f2bc9794ca4e7e73239be93ad38e7bd373
SHA51211becfa03bc587a29d61ef900d25836fd3ea6cf3dc5476289a35cb1f6deae0f6b5a560251c9569da716c8b4f3f4d14a70cad427514c3a626b914e4beabd99aa6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d42b322c9c06b538e101a0e0804e7163
SHA153f2b83b9fc9ccf12a875bc22290a9b647782b63
SHA25662ca149339f2a30d395388bc5edd9e046d4823165c041158ad4187b1fd70971e
SHA5120985dd6da55ae4b361c3ce4c6d845a4d9730c9455b70568291514a3c8fd1be2efcb9d17d8ae687d00e9295e02d14d7761110b7632b60ec02e7bc9ac6e528406b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5726a9e9dae7dd38f0eebeae27181edd9
SHA18234d4f21383f17e688e6f1c19303edd5615236e
SHA25661ea514949548d686ef8d9a65d52af2b94b514827dd2c81928e16974fe1d7bff
SHA5120a08aea8b0e78a8fdb39e2af2fc5b1b563b3aa94e142a20d2d4e17dae939693aef17d142da41b803c6fdfefa3b6141dddd1a1e6f0f2855c4f1e50177ccba64cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a39eef1f3ade2695acd621e64d6b8e2a
SHA1ba0a91f8e8c29755bb8023f99c9f155b521c4a64
SHA2567153fd9c9fc9b6f46ca43f16369252196132a8be1aef7e17c53177ba9b5b0758
SHA512c8c1becb330242fefa64b432f7ad2794f73496fd89bc1ffc7eaebb3add629ce9907887d86350da2bbc7cf7f5ab5983dba66b92ef2a70deb1a598a0eb450f2ee3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f63b5f8e0a38401de29a39f4088000d7
SHA11a9310884adea3eba832ff304b72155a8889ad18
SHA25680a6f0f314fa25085fcc2c6174a996768d44700e9ac09d1d173775f3cd9310e8
SHA512ba6988962d8580dda5881a7f322dc64c947b5ec7a41848cc13039d6a6dfd036929a6fd6bdf4ff4ba663535668a8f998f66ef63b25599b31dd05744c48210f654
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f01fd040a2044a6a31a1839c3c98f7f
SHA123d221b0bf5beaf7c1e42ff58803caca5bc46151
SHA256b21bbaecbca14f8ae1a8acbdb26a9984c309dc847c6e6e23bd6153c6a4ff3fa5
SHA51271d7b21eeb8ca29384268983404f279f6b2876048f79ebcbe4d130dc046610076d3723a7afb506101b687fe0f36d6f3cbf91c696d01bd391fa707963fc6c0897
-
Filesize
227B
MD59960131623bc3f152f759237652002a4
SHA14a37a7ac50b9317640ce9dddb63092c31c1667b1
SHA2562e1567b47678157594bf153f3c5aa8e534f4658723e1cdc9b08c79b84ea3c243
SHA51218a5e9bb0f8ec1d5fcba182bea88f433e70a8fb785e64f92743936730a4429885b2a43ee270fff251a67905262374275afaa286b5cdd68c8716c6844738f54cd
-
Filesize
227B
MD5de388986e876db27e9268b0178a8cf21
SHA14bf2865f7b6d0f18c6757154f6123a825fe7c442
SHA2563af85f407cf25808ad02e04155340a789c0a186020be3229d10ba9ccbe896de9
SHA512f2360f4264a0e1de60dafe6f3c0c2fec961186bf2a98d783c2017f6d72289dea39150d6209e3f362895624d32b28e565b7101394d7b0d417d8a9f5cd4b684025
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
227B
MD55a60f81554fdec18dd17fe07d5c16fb3
SHA14fab82c050ae096cd92858dfb5cd7152bfb6aa92
SHA256b8d6adc5c2603165e3d7c5621b2d7d6169a4286cdc2c220d60388807086d282c
SHA512bf491e1cef54c2105d9cb205bd08dc4a6ccb94cd425bedc827ef0ae60265787d489777885d02ef1e23ce40dfd383a1e364aa455c90b6b038e286d4c7dc5c4a79
-
Filesize
227B
MD5ad3b5e04238baa4a866185b1d1ec8ec5
SHA18cf70deb584cf416db0463e92020f90cbefe8ceb
SHA256eb264f90191965615f46793516e8651bc2c3a209f99f9ff0a762a3a89cbc46df
SHA5126e4262207c76b46e836fc0b88fb9f1d73d45a1234c2b70a93217a0cccab25741340b003a5aaddeabb59ed4290f0cd29aa75646341ce8bf50b7c14a5977d95772
-
Filesize
227B
MD5edffd067d5fbffa497eca1f4cd9a4a75
SHA19fd9ae2c20d441e4168b22f59a35c53d86daf67a
SHA256b6bc00f6fdb713385007ce0610bf0741c31d969deba67cf2caa519df128ffa0c
SHA512cac0e1761dea9726f71f52cf68b335e4060191a85ee372cb5a48649144d97848a26030341883de66c4c7f0fc36d1b149c1a4821d08183c249fdad1be599bd811
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
227B
MD5c867e161b8068a936f08d2fcff71c8cb
SHA16897a2a034b4f5d3565f6fa07a65e052b8e8e4ed
SHA2561d148732a566ab907f381919fd3b181b9eecabef121c1a6df6e21d1ad0da9032
SHA512fc251061916c4b922d482b6765befc607562ef9a71234108cfd97b8e471496e9ef60d4e18c45e0cc9257549c5d0b9e57cd6660cc5d491673ab9dce598861033c
-
Filesize
227B
MD53c51181fd1094f83bdedf703f189b69e
SHA1f9f60c0e260e0282be2fe4f98d9a5b5344562337
SHA256d184eb5f9a6e67f70dfad02d95ec445b621d69853a000e646eb8e7f3b82e1140
SHA512f688440952a5a805c1befd7975f12d329e21a88427d8763a0bd06eba8cfb76d4fa3bdca76e3cc688d8d27186a86b130a7f91651d0eb7370e05d951cebbb2e33d
-
Filesize
227B
MD527d719625744a0b162430a8f8a4d75c7
SHA1665def5698e19f4bfbef1a26036e02d7e0d06d91
SHA256fe8d2ab08b94433eb76fe8309cff4df1458ddae994045b816f8dae835e437b21
SHA512bc3877b6e70075ca1de4a27302ab905f53fac7357637bd7f04ba9b0ea5154763f212b7e822c0619b67bf638e845cb16084c12a1d3b6434ba5cd75506c47d29a6
-
Filesize
227B
MD5e9c0f9ee1019bc4f221de6ebcd634020
SHA173db4439ea1c016d01e4165a651de41699dcc52f
SHA256efa0743c3d6b188e55a3b920eed6c1cffa1b5b509c45db751458eb1fbf4ff103
SHA51227479344a86d1562d72206e9d807bf61207e2c12418d6f5194192cbd75bc0e53554ddff97f6fb73f313dcb9188f2aacafc55920ea0ae0d2e9047a7e26ec6a2ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5af8e04d5b5a634147d0c3ea162cec917
SHA1bdb16b31ee37d5b152487de47e6280fc758a666b
SHA2562c37cba27725d0f9ab3ad6d94fcd80e73150db2bf8316d19e04fce7cb4a72c07
SHA5125d7c09fee9beec37a13c6e00fe90977cf2d782e887f680157ae2180beea94868523a3e190ad308b3d7517abb2f222fb8e46528b68e4542d985e085a9d581d294
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394