Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:15

General

  • Target

    JaffaCakes118_6da6f32ddec4d88499b2f22ef1db04349863d39f49efe903db3fa6d1759d142b.exe

  • Size

    1.3MB

  • MD5

    cf6af80ab793c0b281f4359e4372fc32

  • SHA1

    03db3a6ff5867f800ae63f927cf5c07ec98cec0d

  • SHA256

    6da6f32ddec4d88499b2f22ef1db04349863d39f49efe903db3fa6d1759d142b

  • SHA512

    fbe28145ee7668be15c7a52ea022b6b54a497d9590e1dbe566b3f99be26afc450d44fc0f2a0a56476b8216ff3228460440acdd675b85fe8a7710bcee6462ab3b

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6da6f32ddec4d88499b2f22ef1db04349863d39f49efe903db3fa6d1759d142b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6da6f32ddec4d88499b2f22ef1db04349863d39f49efe903db3fa6d1759d142b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Users\Default User\csrss.exe
            "C:\Users\Default User\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1032
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2984
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2036
                • C:\Users\Default User\csrss.exe
                  "C:\Users\Default User\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:880
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2412
                      • C:\Users\Default User\csrss.exe
                        "C:\Users\Default User\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        PID:2168
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
                          10⤵
                            PID:1244
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2828
                              • C:\Users\Default User\csrss.exe
                                "C:\Users\Default User\csrss.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2976
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
                                  12⤵
                                    PID:816
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2756
                                      • C:\Users\Default User\csrss.exe
                                        "C:\Users\Default User\csrss.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2880
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
                                          14⤵
                                            PID:2656
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1252
                                              • C:\Users\Default User\csrss.exe
                                                "C:\Users\Default User\csrss.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2812
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
                                                  16⤵
                                                    PID:2556
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:760
                                                      • C:\Users\Default User\csrss.exe
                                                        "C:\Users\Default User\csrss.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2280
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
                                                          18⤵
                                                            PID:1724
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1908
                                                              • C:\Users\Default User\csrss.exe
                                                                "C:\Users\Default User\csrss.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:944
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"
                                                                  20⤵
                                                                    PID:2116
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2572
                                                                      • C:\Users\Default User\csrss.exe
                                                                        "C:\Users\Default User\csrss.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:748
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                                                          22⤵
                                                                            PID:2488
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:1172
                                                                              • C:\Users\Default User\csrss.exe
                                                                                "C:\Users\Default User\csrss.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:756
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
                                                                                  24⤵
                                                                                    PID:2172
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2248
                                                                                      • C:\Users\Default User\csrss.exe
                                                                                        "C:\Users\Default User\csrss.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2952
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
                                                                                          26⤵
                                                                                            PID:1916
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:2420
                                                                                              • C:\Users\Default User\csrss.exe
                                                                                                "C:\Users\Default User\csrss.exe"
                                                                                                27⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2188
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:780
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Templates\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2532
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2416
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1996
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:496
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1760
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2844
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1460
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2156
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2120
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:748
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2304
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e74ff9bf3a3c885214f9ff4b73ca2c72

                                            SHA1

                                            d572c06fd2f3281ea4eac9ba0025fb60793edd93

                                            SHA256

                                            3adccc97ae5b087ceea99e9e14643382086e41213cff5f69a0abe8ff07da3529

                                            SHA512

                                            a9864fbf600d34ad72a1c736de983ab46d750508c584db9cc812b91e945ee0f41bd5de1798656a3b2cc408da7084c834805e88efc7ea740b5655077d07ea5325

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            94e0ad58bbded027e10cab1de89947ca

                                            SHA1

                                            b796235580cdf46d8ae574dbca665a2ce7da16e3

                                            SHA256

                                            7e960a1b93e07418700b6b1dd6df9ee5ecd92f2e471cfc7dfd1fb61c5ca67048

                                            SHA512

                                            db2a6c65f082ecd7fa5569c7d37da5779fdce484eb4a7b29d54faa2ff9a0a4d3f9aa32f74d1ef28f015331c27b9f17be2e029e4bed449ec12ded042b49b4f7dd

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7613af2eb9359227d46606439dc66dfc

                                            SHA1

                                            6ae22a1f5677264cff5bf305962ee8d6de6ff2ca

                                            SHA256

                                            d06579637c3ca78523b07f85e3a2af31cbb9ee33f3617fc4e1fafd20fa44d430

                                            SHA512

                                            0acc28387c61c39e82c89966b5a7eb2888e5c696496d182c4d9185c00df2d3c76fa58362745e560c504c87b7cf3ee92845fc41b0f597dcc3607b0d86c2d71325

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5242d6cd15d5cf46bbc36ec72aba8fb0

                                            SHA1

                                            9fbd00d5bafaa3fb2a066fb024a01514cd560a4e

                                            SHA256

                                            7d38a0d586250e0232cfbbc9602cee891bea492ae0f104c211cf36e48a311cb0

                                            SHA512

                                            8f614f297fd7518e74c4fdee4318ed42fcf6c6282bcb7b2a7000050f5bd6b1883bdac01022ca58e9a571fdf34cdb12b0ae9525980347624137db52919cdaffc6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            70a408fd7c7f7f3759a3e1f98a25d56d

                                            SHA1

                                            a30b1cde6455d1cb88dbfa2da67bb55ad9b172a2

                                            SHA256

                                            00f384cbac881c683c512d9ffa384ce6f5d93b5a7ac556d22fde19d812eeb854

                                            SHA512

                                            f470f0393d57cc9088b025359c8c15f5c6cb04f9c1d1726224c4827b68542e137c956f96bb2711d9ae430540f2853f331bd0d3fc2669d9706207ac93fa48167d

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5943afe1b6a548ef531fb833e5b64c51

                                            SHA1

                                            b63951508575a54eed1a3a7f95e816bcc53ea9b4

                                            SHA256

                                            0810ab008d4855e5d46a8c63e653ccfe726d51054eb95142afbf271dc742f425

                                            SHA512

                                            8e7a5bb32e175ba03d8e0959c06579fb85fd47f4c298e6bd77f851d8abbec7ee1228f2eae4a4bbc53b00221f7950af572393b30b98c9782fe4d58cebff55c1b8

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            25cb7323f1523b5e74b8362a1072cf4c

                                            SHA1

                                            bdabb77720726fa82fbb2867ede6ec6a60d6c442

                                            SHA256

                                            f0f9f22712d23d96c9a37bc045c00746dd3ab780a90f49b5f70d39b240cb5c2b

                                            SHA512

                                            2e1f65c43c04cbcf115919171de3d7d1abb9832e6dc028cdd1b6660c5ea448dd61c2ab46ba72ef6b3a48575e55214d686c1a2a5cf3d1433d04c8c504aab98a68

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            b1c751d288a9c6f942ecfcf8631f69a4

                                            SHA1

                                            60ad761c9897536d2ab1918c6e7f8d545fd12226

                                            SHA256

                                            45465341f3c5e81fe668efaf7f88a2536477dec83db0576f6c61687e9490a53a

                                            SHA512

                                            7f7b18dd3117058860efcb399e7ce1b4ccb78ddfb4375e3c39fcba58de7268605f9d657ba2d2b831c75b8f106e31bfa852b80defc1cc14aced11cfa9f9c60487

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            199aee5a8795e5952eaee23edd1d2c9f

                                            SHA1

                                            435d2616ea977e3020b84bd33ef56aa15cf65624

                                            SHA256

                                            3997ec6d584e41c60476157e6cb596058b63e63df06afe909347cab075d1a6fc

                                            SHA512

                                            729f5e5fea5aab53b99a5741980d44864a4e38e9473f052a59f432822ce551c85b4c5a180f8e1f91a499e1c208082c0b2c1e24a674517f661d062ebb26ee6e84

                                          • C:\Users\Admin\AppData\Local\Temp\Cab2010.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

                                            Filesize

                                            196B

                                            MD5

                                            c744cd32ac3f5cb42f8eb1c02b9a98d2

                                            SHA1

                                            41326bf65e5af98b665b77015fac617c81fdf4cf

                                            SHA256

                                            b5fb24cae5e608af81d77af31f9c352aec20c4660925e2760891669e7ca80e39

                                            SHA512

                                            36d1cab9eb53959f32513fabde8160b50b3264949930407ae333d3d061ca94b06392986a3fee871c1985268ca286161c4e56433071a9d7e4154539a8e81fc73f

                                          • C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat

                                            Filesize

                                            196B

                                            MD5

                                            7542c45c33bd5669defe63a91018f9a0

                                            SHA1

                                            a07adb80be79578cd169d46a411944db3fdea557

                                            SHA256

                                            8b1635da1cf5d8021d18c9f774a4e317c550522042e05fca3f8da7a2c4729959

                                            SHA512

                                            ea77e99710297750a4c1b122054a874e3c5d5e7ef6a67e9e2427ab35933533b7c1643c87a73181be3205653ceb3e1719f4221c9c2fceccd7e88ab9ab4d27d1fd

                                          • C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

                                            Filesize

                                            196B

                                            MD5

                                            6ab45a9f75320e33dc23c2a7e94bd177

                                            SHA1

                                            1527a9791e2aedee937a5aa0a5e2b26cfad87d9c

                                            SHA256

                                            b5511b592c622a4e3e27e830f9446a84fede84a2374ffb1657b21788aec8a5c3

                                            SHA512

                                            d64ff7efdb0b10a9794d87d34aa309b861da439ffe8ecea2a9e76b396525ec94f5bef9a29086e4e9b052bc2e2d2c89897a8ec702fe432edab1aa63c2861f8c3d

                                          • C:\Users\Admin\AppData\Local\Temp\Tar2033.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

                                            Filesize

                                            196B

                                            MD5

                                            ac9e24ae8406e3177b1beee3a4b3383a

                                            SHA1

                                            7e317a66d56367233503fd73c435afe26bf4fa53

                                            SHA256

                                            6f1871238a3d8c152b42d115b3eab8507b255b940238345f837a43e1dd11354b

                                            SHA512

                                            68aef16b0adcccc631eafc6bb4dcdf0a2ffaab1f5457ae92cb4688f9a2528b29ee7b52bccd731c238b370fb2d01170f6dfbbb0b235757e4c8e09385309e7c855

                                          • C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

                                            Filesize

                                            196B

                                            MD5

                                            3738fd0d1abf7fa210611faa0809f7db

                                            SHA1

                                            4084205ef61cbb1b26dd3a00cbd9fd810492b3fc

                                            SHA256

                                            9e7f22ad4b0a28db5b8b9dd3f21f3c554bfd577446b945174704f71fd6c1827b

                                            SHA512

                                            a638e80d9a9925e078225b725830ed6c510395458454d1b45c48cc2c25000c2c79eefc23822f59d07665f1f5d868cbb5a219848badf833ffe3ef91355c4da138

                                          • C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

                                            Filesize

                                            196B

                                            MD5

                                            3853e0830c69b46ef09ad29cbe4082ae

                                            SHA1

                                            4f4bd9c5a1760e95a65fc69d3ea0c71f462f6c52

                                            SHA256

                                            2262d4a18a4c000786d2d369e1992cb1181ebfe9b91073f144fed84c4b71c004

                                            SHA512

                                            42c50dd5ff691d2f4b2e903f18ec5bc629aab594e81876ffb106a55933dab24b19e7d50e62a70688c74778592db9a7f86966432fd383dd02fe1e09fe1515164f

                                          • C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat

                                            Filesize

                                            196B

                                            MD5

                                            54e78695cf661fcd588f5a139bb7c9bf

                                            SHA1

                                            174fa92fc10bf9259ef67a983fe7cdbce66ee26f

                                            SHA256

                                            e3ceca019b1ff6ada21f4371f042daa71924cf33d8ec2f580934979ddd67008b

                                            SHA512

                                            a95c64b3d774b452be62ab4aa01ab075e1af4d4496362845904736789d08a842a95085af639706419240dbf67600057e982212391ac556d4a83b57c5c67aa342

                                          • C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

                                            Filesize

                                            196B

                                            MD5

                                            82db310dca7e495ddd4ad99a3670606c

                                            SHA1

                                            cecef0e8e50739c59106ace385d041c4c41fbea4

                                            SHA256

                                            9ec5328f6f64a95bfcd36f63673587902bb75cbe6302c9ef07402d7b6cc3cec4

                                            SHA512

                                            8aa6d7c330fcc4a44bfeffe9688a231bdf080dcbe4b0b49a241bae675c3efffceea1433ef5891546f4690ac5ce56d0b43e69db23a40bde36c9b31b936da3d340

                                          • C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

                                            Filesize

                                            196B

                                            MD5

                                            330cd748c27da9cc5c7325196e553c4a

                                            SHA1

                                            ec552600c40de285dcbcf87e5b2c33cdb85a965d

                                            SHA256

                                            88cfd5540cb0fb0af360e467c74dba70abbd6bf1f27e326770e516f1f0d57904

                                            SHA512

                                            4e73b9a2a4a6debd3aae000eb4bab5f5ef5b7c449ec689361f1dabca13a3a0d43bc00e6db53b64c2b02ae3198ad7c85faa73d699da0bd8d811e723436606b531

                                          • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                            Filesize

                                            196B

                                            MD5

                                            92f5b336f4f893d58cbebaded941c75d

                                            SHA1

                                            217faf851ccb85e6f2e90be70b8c5ee9eaeda4a8

                                            SHA256

                                            459fd3ce593e989c376e50f262179d806bbba7991c8a44ce7e883fb05fdcc935

                                            SHA512

                                            d75ba868db2c4a0ed9fef95c717030a6118429c4a6925f2470a1c9f0fc9084117655c24a3d586089f267b8151bf4a4cef24f9d91b3e78b46a820d4554c86eb13

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            c5bdd34c5b7996ee54a036217f7d93d2

                                            SHA1

                                            d8f7d8eac6f6f16ce84d205e110e9784eb049886

                                            SHA256

                                            5eb828ab9143011d717c73ee2e164b5e9c3016ac53204cdb322dc09e95063333

                                            SHA512

                                            c44e7dab3948de075d47dab5ebe53ba18aa597bc43bfe133f423800feb5833da9d7f4f56d43ba1ea6b944d6d9516f54b5ffd300ce40999cff80eabae82fc86f3

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/748-520-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/944-459-0x0000000000040000-0x0000000000150000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/944-460-0x0000000000550000-0x0000000000562000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1032-56-0x0000000000010000-0x0000000000120000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1728-157-0x00000000009A0000-0x0000000000AB0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1736-66-0x0000000002770000-0x0000000002778000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1736-57-0x000000001B570000-0x000000001B852000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2280-399-0x00000000005C0000-0x00000000005D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2812-339-0x0000000000250000-0x0000000000262000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2880-279-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2976-219-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3024-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3024-16-0x0000000000450000-0x000000000045C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3024-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3024-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3024-13-0x00000000010E0000-0x00000000011F0000-memory.dmp

                                            Filesize

                                            1.1MB