Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:02

General

  • Target

    JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe

  • Size

    1.3MB

  • MD5

    64cae7d041c959ee7545970d9622c85c

  • SHA1

    1cf9db970ac32d19cd3db570ac42739ec3589549

  • SHA256

    6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8

  • SHA512

    4bcf5b15c5213bfc07b19045bcd30c690910f8c1db458bfc284c7b48b055c43be57788409ca83b29cf1c728d5b3c62e0d40b07d30a64b21b6be2805d448c5651

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b144bcf04c6f084a1bb7fc699a57110245ebed317855dbf2ec5a168e01c6de8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:804
          • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
            "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2072
                • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2384
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
                    8⤵
                      PID:2420
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2492
                        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                          "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2276
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
                            10⤵
                              PID:596
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:720
                                • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:524
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
                                    12⤵
                                      PID:880
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:680
                                        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                          "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2456
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
                                            14⤵
                                              PID:1500
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1468
                                                • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                                  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2492
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
                                                    16⤵
                                                      PID:2080
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:536
                                                        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                                          "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2172
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
                                                            18⤵
                                                              PID:2476
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1172
                                                                • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                                                  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:704
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
                                                                    20⤵
                                                                      PID:1688
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1532
                                                                        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
                                                                          "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2872
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2836
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2056
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2192
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:832
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2748
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2452
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1920
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:932
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2268
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\explorer.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2252
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:784
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2416
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1956
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3068
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2112
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\Idle.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1628
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2448
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1112
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:792
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2080
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1768
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2436
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2428
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2504
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1260
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2052
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2220
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\conhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2384
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2188
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:864
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2004
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1964
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1208
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\explorer.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2228
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Vss\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1100
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1932
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2704
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2060
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1544
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2664
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1324
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2012

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  17f7772594ba2d9bcc17b0d083c1dd2d

                                  SHA1

                                  c2dd2dfd38edbba897027c9de1bc1293b5ab408f

                                  SHA256

                                  11a9ae80c45176aebdfdbfd3df70c9d71b9b4863b41a3b49ae01aa43c1ac6627

                                  SHA512

                                  7419b95d870b1450b1df480fcef5d4d6d4fc3ca4aa72e1d3582a4eae5d57902701f32cfc0b3f97d1416e03cdf6718b29b6dd29783be3f9490fbb3d8191d01b53

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  cb8e866597483b24154184d9ef6f3f4a

                                  SHA1

                                  793e2cdb47027096a9a4becb1b551f0953216008

                                  SHA256

                                  687bdcacedcf79270878dd326ec4f4e35554ad7af13d0bab2edeff2c8bce64e5

                                  SHA512

                                  d38e029e36351ea2bab4eca19544b1e269acf2dae435f3c0a036a3b2ddaa5fdaa2213d5ae0db691b1f52fde65a7cba9c4b1bbe63cab6e55c7f4192e5ac4e4d17

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  ae779f67a872fc59e049ee02c42d5d62

                                  SHA1

                                  f0607b34f3fc2e7e51e54d95f1c68a2ca4817e99

                                  SHA256

                                  fccf1230773eeea410fdaa928aef65aaa7571c93de315226e9399984b2ce2432

                                  SHA512

                                  a97b0c23bc8b4fc7746c2f1b311c84f6f5c7e2c69ed64c40871ab3f0bad57baa7c6f3a044d49a537927eedf68408a5d4017a410598c060fd6e35190932ba9616

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  a78bbc195bc85cba0b2bbe5f379a238e

                                  SHA1

                                  affc17fd649372000cd010125dd46c3d302f1dbc

                                  SHA256

                                  d64a2569bfd702e37f5dad70c1d1edc87059461438c9291d23c0dc3ef6992db3

                                  SHA512

                                  314cb9eea531fb99af4775cd4296ab705c49f3783ad872317104f031f4de92909739f5dffb51bc7629b3bd99712cd374fa098e744fca43483167e2070ff0392e

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  4317cd203828d06d549473f0f4b3e8e4

                                  SHA1

                                  1edf58c4467c249330d8632de658ddb63a62225c

                                  SHA256

                                  3a88ab501916aeb01b1075b50d3bf1a9dd3c330d89f04758679c098dc63229ef

                                  SHA512

                                  15e03c6c00329923c23131d3fe3176d762374507883b413d575c5304d6d1017adf8a509d856556a1145ec47a7f825810162873d599ec774928e28d6f495bdb19

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  6998a5cb1b61da65eb144ba573b6166a

                                  SHA1

                                  75811e263c88e4743b520ef9dfc1ba8d0b81d61b

                                  SHA256

                                  461936d8ae461233b3e4ae162c4994aed083c45267d47dbf4f485c8be52905fd

                                  SHA512

                                  41bc4e74005bb606dc2f03b5dd79b7733f153ed8ea968e1724b5b174a3553eb54bcc9b11d3b7c9fd085cd7265bc8c5ac7ea1509a4bc15c3a94ccbb43480b048a

                                • C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

                                  Filesize

                                  235B

                                  MD5

                                  e0cb6fd7c142965161706072098fbd85

                                  SHA1

                                  348591535625bd6f837dd49efccd32853d22b264

                                  SHA256

                                  8184f8e57834ac3ea7a1b057ba5b9762b67a61d52126558b5b4eb14e72862b57

                                  SHA512

                                  8a67470364f71001f4c50bafcd1ad941e461f022765792c38f07970d9dd002c76ffce6b2a74aafd364aeecd6318a923346dd77be2b738ca51e34a833f5901e5f

                                • C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

                                  Filesize

                                  235B

                                  MD5

                                  f450f9fedc1755947948af786fa6f643

                                  SHA1

                                  99eff3aae332bc5f5eb8eccad5b9db93a8f799fb

                                  SHA256

                                  322c07288737104b8dbc7e9463db6d51cdaac4607b6e7bb6c0198be40c43880d

                                  SHA512

                                  c049451868a4b01afc4e74fc31ecf164954ff58ca51ccf59737af079c847bbe503b9d631e3c3c97432786fd55f1bb802b283de028af4f7b80e05dead151ada00

                                • C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

                                  Filesize

                                  235B

                                  MD5

                                  50392302d1c3526e490f0baef87a7018

                                  SHA1

                                  17aa0a74f6e715f3e039d8529b3194c64b816855

                                  SHA256

                                  3a00bfa7d320d90a6de2a524a2b0b5e0a464b28eb39678a9c5085088ad7fa627

                                  SHA512

                                  2a732ebf944d90971e478260cd6e88e4fcf7524cee4bbdb335ea61985cab94b2011ccca6ddf43b62a54a47bfb46bdefaae715b5494bae37748a2291c2360f8ce

                                • C:\Users\Admin\AppData\Local\Temp\CabE227.tmp

                                  Filesize

                                  70KB

                                  MD5

                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                  SHA1

                                  1723be06719828dda65ad804298d0431f6aff976

                                  SHA256

                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                  SHA512

                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                • C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

                                  Filesize

                                  235B

                                  MD5

                                  9b1a49aa4f59452377bbedb37bf33025

                                  SHA1

                                  d758379d180c30fe2461cfd8496f0ba48e289ac6

                                  SHA256

                                  627b1151b324e1fd2cae5206fb20262d1c6937562c3a9d04daab323d64c455b0

                                  SHA512

                                  8ef2e19a7a41098bab5e86c300c59dca4cb077bb75145ecec0e0b4d7fbaa1c807ac0498f799bb901a2148fe664608e6a1a869addea036ef69ba26bbdf1d16c9a

                                • C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

                                  Filesize

                                  235B

                                  MD5

                                  c797c6c32f20dce33111ddbfe6c94641

                                  SHA1

                                  8a280f364b9f40dd4382694fd1a43d56849302a1

                                  SHA256

                                  3caa30f5c8ee21d6f5b8e06dfd02f631059a3d77d8c7dd92a29281e934fe2101

                                  SHA512

                                  3dc9892cf57163d8e001a978f145a6ca0816a71beb206a2d5517f3841350f1991bb8c69a09d02d473744768d67eee4b3d32d9afa9c70b1f2b96baadc34220bcf

                                • C:\Users\Admin\AppData\Local\Temp\TarE259.tmp

                                  Filesize

                                  181KB

                                  MD5

                                  4ea6026cf93ec6338144661bf1202cd1

                                  SHA1

                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                  SHA256

                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                  SHA512

                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                • C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

                                  Filesize

                                  235B

                                  MD5

                                  3947f4b5ceaa626216ccfb70a9360b0f

                                  SHA1

                                  e790b689fabe0288fba987ca6b83491204942d2e

                                  SHA256

                                  f22ca1a9c0caee50abd04dd73a2ea4a9d58efea880bb21150800bae6b19ee456

                                  SHA512

                                  3621a71a514db2f68d4f40e022f167c97225b3260ac6a9e5db9983ed7797df493a9313beaeab573739a0aa931f4b748dd5d0e94cd43f5f7d58ce1208a1a3dd0c

                                • C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

                                  Filesize

                                  235B

                                  MD5

                                  04e5068ac3993e51ac2946fb10efb02f

                                  SHA1

                                  e1ef1b284e4044d58bb9058292b8413ba4a7cba6

                                  SHA256

                                  b0168e15313caa281b607cc7c4cdda442ac0ac71cee700248ea02ae4ef1a1be5

                                  SHA512

                                  3fde4041682328a6168664ad3b78d946242da676f14bf6c99bb1bb07f93d803eaec3e551a49f2edc2272738f28b4ee9d25d43267bb173afad0e316ebac5e7ecb

                                • C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

                                  Filesize

                                  235B

                                  MD5

                                  cf26b0e50f65bac712b6adf2c4d7ecac

                                  SHA1

                                  242a65695569e853841f6741bc61220f792648b2

                                  SHA256

                                  6f0028ed01f420637f41d9002988f09c1ac583388cb5fa58c54e647cfdb689a9

                                  SHA512

                                  f276e954b3186438bcce65a5d61d885ff45ce91d432b003c06296f8d425ce3974f0d095511468b4f69c51b4c4449eaa9af30bfa19f07acf03b59af43ea8f5eca

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  3399f273c48048650afe64482323af11

                                  SHA1

                                  c95a3811e42ee3a5200a517a6551cee852dd9f93

                                  SHA256

                                  dd32cc5661b3d050a01c907a2488e783373f79a320e086ba875e20f6c05705e9

                                  SHA512

                                  81b361ba20972eac62a371855a9c978cca7efe2ba0d6d15faac7332968f3cc2917545cdb68fb9a140c982a1fc42926351f8564aad8951d4154dc950d3a489ed5

                                • C:\providercommon\1zu9dW.bat

                                  Filesize

                                  36B

                                  MD5

                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                  SHA1

                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                  SHA256

                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                  SHA512

                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                  Filesize

                                  197B

                                  MD5

                                  8088241160261560a02c84025d107592

                                  SHA1

                                  083121f7027557570994c9fc211df61730455bb5

                                  SHA256

                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                  SHA512

                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                • \providercommon\DllCommonsvc.exe

                                  Filesize

                                  1.0MB

                                  MD5

                                  bd31e94b4143c4ce49c17d3af46bcad0

                                  SHA1

                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                  SHA256

                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                  SHA512

                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                • memory/524-305-0x0000000000160000-0x0000000000270000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/524-306-0x0000000000270000-0x0000000000282000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2388-69-0x0000000002410000-0x0000000002418000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2388-67-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2456-366-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2540-52-0x0000000001280000-0x0000000001390000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2776-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2776-13-0x0000000000F70000-0x0000000001080000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2776-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2776-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2776-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2872-571-0x0000000000240000-0x0000000000252000-memory.dmp

                                  Filesize

                                  72KB