Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:39

General

  • Target

    JaffaCakes118_74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe

  • Size

    1.3MB

  • MD5

    529a45efc155aaa872854d4c33effc8c

  • SHA1

    48cee4c8a3cd4009aeb3c3e072e08427c1b88715

  • SHA256

    74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247

  • SHA512

    e04c122507b00a93e9f30884c927ac5f71f2a50cc136c4bcd505a36e80ff86f1be6fd3a9e0a3d3c757f01cf815d6e81c2007463c78ab8a5b358cf5d44558843f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:484
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ef3HHNb2vL.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3016
              • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1916
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:692
                    • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                      "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1668
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2428
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1964
                          • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                            "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2896
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                              11⤵
                                PID:1604
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:2932
                                  • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                    "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2980
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
                                      13⤵
                                        PID:1764
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2924
                                          • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                            "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2960
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
                                              15⤵
                                                PID:1732
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2368
                                                  • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                                    "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2080
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
                                                      17⤵
                                                        PID:448
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:3056
                                                          • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                                            "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2640
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
                                                              19⤵
                                                                PID:1260
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:1652
                                                                  • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                                                    "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1800
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
                                                                      21⤵
                                                                        PID:820
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:236
                                                                          • C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe
                                                                            "C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:768
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2992
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2704
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2960
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2952
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2732
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2692
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2576
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2544
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2540
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1296
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1644
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3060
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:708
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2856
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2892
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2336
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1020
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1492
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1300
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1752
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1712
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1796
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2352
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2176
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1852
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1924
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:980

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  a6b17fc4874787906af501bd2e69a1ca

                                  SHA1

                                  4bed69b27408e9ddb1a7c872d2a497e9d2057518

                                  SHA256

                                  2b92aae04e244636e576f7be8301171ed295bd8d02f95c91a6ef3c99873ab6da

                                  SHA512

                                  74559aebeacec71e037eaa957fcc4f32aab899b624d78edc67185db01314879e5e0ef550e24e883054549270e52ad22f7827586bf762770e692fa2d18f71aa12

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  d8196f74cfd2a784be6530961941ed89

                                  SHA1

                                  989d1ec9429ee04676153c8b41c21b4f8e6be8bf

                                  SHA256

                                  992e835705ed726fe92ee3b6479f2c9e7b97d6856ad6895f52cc73b9b9f87c8a

                                  SHA512

                                  41826b7397241682bd4e489b7dde3d872734d4666a45bd451f753e15be9af01a2b961d8590e2d0ec3e41ea99f1c365697ad4cdabd4ee659bea3dbfa6c9d9e9ea

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  69c0b3ff623c818af7d0c4a2c99576b3

                                  SHA1

                                  f9bd934b07b943ca8373f68c1d67ff5dc8ad7622

                                  SHA256

                                  45ab7475e26ce355a5f7afb4ab293a6b6f26b385e49decc7a4e178a6fc6a163c

                                  SHA512

                                  80248b5aa6e8f9b6cf241aa1cb35091b96a5dbbe50d388b9f8e75ba32a7bfcee73c056bd9ba20925260a696d7b229ca0959bb4f4a2daafd68769b283d26785d0

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  c45a0b20374c402861188859ff8b6f81

                                  SHA1

                                  14fc3a23d1ee4e747db0db64876de66418e4f822

                                  SHA256

                                  19944f93eabb604ef1b4cce2a9ee09f4387dc5fb651f3665a7dfb003031ecc63

                                  SHA512

                                  52a0b879a28ec7f3b1a9118cd919997dfb63dd0e507c4c20735e8228d4841c7cb48404badab75b6e3e598643c035ac39543e84e439142bed5a848808739e3541

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  eaaec7bf6b840c510035effda11c529f

                                  SHA1

                                  666ca6931400250e2442c7e72a65355d2f3d7d44

                                  SHA256

                                  58968a3ebfc88dbf4522a681dd3ecf39589900e8948f01f5224cdd9c56e10167

                                  SHA512

                                  7f827055bcc09607b1b0e4737798932f81da52bac070f3f6626b5f41f0affe92e8840f722de744db24debc5f83b59171425fdaf807dbe4a3ea116e891c535f83

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  909e45e2508bcce9e1eaf1972e1f57de

                                  SHA1

                                  2f580efe82701c523600ee8b299fd3a75a4a2254

                                  SHA256

                                  799b9b9fb739d1c4bbe3f18d6e4b75b818f0b7e0397eb380f21ce06a2a3c708a

                                  SHA512

                                  372a7f179941bf0117059469d7a3629f356e452763ccca7c0aff1deee34a8d06e73b93d666c94bdaefd6bcd4898e50b47640f6432f79aa847e3591c75185ee90

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  568d2ad69ce82be7a330faf92e8af409

                                  SHA1

                                  d46fb31f5ea46c4c88755fe943d5f027b0b30a1e

                                  SHA256

                                  84e4217272c4e1d406984fd946242dcc2d08dad35808bc08a657fad17e3dc933

                                  SHA512

                                  b551f5a524d500dd12d6d62d881637aed827d43a556310e7a8684a68464b9ba8d034fc3895ea32b1e7b7ddc68a1e48da3555648d2bf94ca28a2a4913691ea8c7

                                • C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

                                  Filesize

                                  226B

                                  MD5

                                  111dd2cd292541528f09bbe770a6f76c

                                  SHA1

                                  60ba0226c27e12cdd1a7fccd99b448f1ec1a132f

                                  SHA256

                                  7d701b2711b3ae244388a49052e791b2e4c50433422fa47c339868ed1527ff3a

                                  SHA512

                                  fb8bccc51eba262bd13f388fe226c08e31e834e4204ddc14a3240b00fe5a7e07c26c0534532a7c5b2a7d8e811befc074affff8c369402c132031e56982a293fb

                                • C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

                                  Filesize

                                  226B

                                  MD5

                                  67686a0418587070a53b694d668b433d

                                  SHA1

                                  3c8a65a1c0b9a924ef093a577805ff45862d1f5e

                                  SHA256

                                  8b672ae930b4ea5110ba05db4fe1bc8dc83e0389eed849b90d50fd047c223448

                                  SHA512

                                  1cb1ebe32b516171c5c0031fb57621cb2ef7bf7c36e49212f3ed304a7db5b31c38d641e7690bdfd7afc4bd7aa0c30f6aaa9c2c800835e3c8b1119ed64b3c6d09

                                • C:\Users\Admin\AppData\Local\Temp\Cab1A18.tmp

                                  Filesize

                                  70KB

                                  MD5

                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                  SHA1

                                  1723be06719828dda65ad804298d0431f6aff976

                                  SHA256

                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                  SHA512

                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                • C:\Users\Admin\AppData\Local\Temp\Ef3HHNb2vL.bat

                                  Filesize

                                  226B

                                  MD5

                                  f183c3293dc350f50737edf8fe4db23a

                                  SHA1

                                  ab5758627877e297655e96a9b35722fdd1126d42

                                  SHA256

                                  af2edffd669d43e7b674dfa8bc96a6e5da9e88007f5b885c14b0e6f05eede197

                                  SHA512

                                  2a38f8a5f1d32d7c28bb533f84f02b9d71e21cdb625e725245cd93769198bbb83653856d5f652c3b72f67e3e1794ad1c3825d23e078c2c79a773abd19b12522a

                                • C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

                                  Filesize

                                  226B

                                  MD5

                                  b068beac9b0020c421f872d9bde2b2df

                                  SHA1

                                  deac1ca4f45eba8397a10a6ae89aec3e970ee40f

                                  SHA256

                                  58ac9df744adc48461e51fd8d88240a63e67e295dd3fc598b3e1095a908b7068

                                  SHA512

                                  58dcb8d0484a73fbb90878de1166ddfe03798feebfedb64c63c2ca84525d1570c8d9cf691ae81f8200d2961c3e8b8735e2563ccb61ae7f16d259e1b9a164d3a9

                                • C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

                                  Filesize

                                  226B

                                  MD5

                                  e493e93450057808ac6c07fb67ed1400

                                  SHA1

                                  61c3fb73f3b407c3abdf36d123801920ad798513

                                  SHA256

                                  72f88f2ea65fdfbcca985eebc6bf9988c49930ffc5aca4de011ead8508cedb25

                                  SHA512

                                  a5f483d7636609380b62020e614a162efbcaea1cf89102d49f071ea90b0099fc1a716d1b078251f8c07ae5378965b917d16067f07a9e77c1ace292a40e5bd576

                                • C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

                                  Filesize

                                  226B

                                  MD5

                                  37acd2ec6a7d95f7ad3328b7c46560c8

                                  SHA1

                                  a192290e387d2942d3eae297d03990e9365a47c7

                                  SHA256

                                  004413f2f1a3528173209987d2a88c21a9df9b4c8a3462f955e8e2e8c94abf5b

                                  SHA512

                                  79ed39eaeac174ff2dc42d10f9489493155a5d7866c14eb274d4c518f6c9aa1bd58bfead48e3495ad7a10870ea37cf1ac8a69dadce455b10619664123d1d2ff5

                                • C:\Users\Admin\AppData\Local\Temp\Tar1A3A.tmp

                                  Filesize

                                  181KB

                                  MD5

                                  4ea6026cf93ec6338144661bf1202cd1

                                  SHA1

                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                  SHA256

                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                  SHA512

                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                • C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

                                  Filesize

                                  226B

                                  MD5

                                  ce4b1829bb12a76db31b8aa2de4d45ca

                                  SHA1

                                  0d3f4a4ecf4d9cef6bc6123801c9481f5ad799bd

                                  SHA256

                                  0c4eabde81365f9e5068c7ce52fb404a703e82014025c8f0cbb68c849a1a669d

                                  SHA512

                                  24f36ce6b12f3596c6398cd41747660b43875270f54db5cf90a5fff5208b5b10f2505115bca6c128c7b3bbce86dd83901071f3f848aed53f56b4e9f1e43eb416

                                • C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

                                  Filesize

                                  226B

                                  MD5

                                  0befbaa7b2a11bfefba65940e56acfab

                                  SHA1

                                  fbc7dca49bc94553a211b04014dcd52e5ae85827

                                  SHA256

                                  e111802ea778a65909380702d2b26dcab6fc5c691dfc5f7fbdfa6125210c87b9

                                  SHA512

                                  9b8e4ddb84e049acf9fcca4d77b4da6ad9c228931201ef4a34bd66a8d338a25ab4eaf3712767234893c34ff8e502756d340ef3c11b9abcdeea8c85b7bf91cc1e

                                • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                  Filesize

                                  226B

                                  MD5

                                  b04904681898355a642957f68095faae

                                  SHA1

                                  226f62961a51d6b7b6894e32095acb1ff95761f8

                                  SHA256

                                  dad60f53c53ef6ee517119113b2c3c4c44634467a7ca1b21ddccdce237b2438a

                                  SHA512

                                  3f073ac5401a31347c0cee2718a5c71f9f95f68451930e815ea413676b3129a5c589baf8785dd6607dbc414346e953e3e98ef8e84a65abb0afa1ad6e374bfc6c

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  3595f038455f6eb7435ca32df01941e4

                                  SHA1

                                  c160299b7228af58c8968e1eea79f6a182e0ffc0

                                  SHA256

                                  9983129fbbba213757387371cdf2022f6c67689dea59fe1277b80e19d8f74504

                                  SHA512

                                  5e86f5c9a282ac5058384151dd2b82210f82614365e3c61357037375a6757e397e30dea34f02c23a4019d69ef5e22dbaf05056134a6657faed06c023a9361214

                                • C:\providercommon\1zu9dW.bat

                                  Filesize

                                  36B

                                  MD5

                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                  SHA1

                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                  SHA256

                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                  SHA512

                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                  Filesize

                                  197B

                                  MD5

                                  8088241160261560a02c84025d107592

                                  SHA1

                                  083121f7027557570994c9fc211df61730455bb5

                                  SHA256

                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                  SHA512

                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                • \providercommon\DllCommonsvc.exe

                                  Filesize

                                  1.0MB

                                  MD5

                                  bd31e94b4143c4ce49c17d3af46bcad0

                                  SHA1

                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                  SHA256

                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                  SHA512

                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                • memory/768-573-0x0000000000430000-0x0000000000442000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/768-572-0x00000000008C0000-0x00000000009D0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/1408-50-0x000000001B550000-0x000000001B832000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/1408-66-0x0000000002850000-0x0000000002858000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1668-153-0x0000000000F70000-0x0000000001080000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/1800-512-0x0000000000310000-0x0000000000420000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2184-15-0x0000000000150000-0x000000000015C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2184-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2184-13-0x00000000010F0000-0x0000000001200000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2184-16-0x0000000000180000-0x000000000018C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2184-17-0x0000000000160000-0x000000000016C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2640-452-0x0000000000390000-0x00000000004A0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2884-94-0x00000000008F0000-0x0000000000A00000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2896-213-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2960-333-0x0000000000B30000-0x0000000000C40000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2980-273-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                  Filesize

                                  1.1MB