Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:29

General

  • Target

    JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe

  • Size

    1.3MB

  • MD5

    2a2f491aa6f9963908916033c9cedd3c

  • SHA1

    fe26fa5085318afe6c8e35924c524906c410b075

  • SHA256

    148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74

  • SHA512

    27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
          • C:\Windows\debug\WIA\lsass.exe
            "C:\Windows\debug\WIA\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1700
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2280
                • C:\Windows\debug\WIA\lsass.exe
                  "C:\Windows\debug\WIA\lsass.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2028
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2420
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2352
                      • C:\Windows\debug\WIA\lsass.exe
                        "C:\Windows\debug\WIA\lsass.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1236
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"
                          10⤵
                            PID:2708
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:1888
                              • C:\Windows\debug\WIA\lsass.exe
                                "C:\Windows\debug\WIA\lsass.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1976
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
                                  12⤵
                                    PID:2136
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2380
                                      • C:\Windows\debug\WIA\lsass.exe
                                        "C:\Windows\debug\WIA\lsass.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:832
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
                                          14⤵
                                            PID:2900
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2028
                                              • C:\Windows\debug\WIA\lsass.exe
                                                "C:\Windows\debug\WIA\lsass.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2908
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
                                                  16⤵
                                                    PID:1356
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2620
                                                      • C:\Windows\debug\WIA\lsass.exe
                                                        "C:\Windows\debug\WIA\lsass.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1888
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
                                                          18⤵
                                                            PID:1664
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1732
                                                              • C:\Windows\debug\WIA\lsass.exe
                                                                "C:\Windows\debug\WIA\lsass.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2836
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
                                                                  20⤵
                                                                    PID:2080
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1036
                                                                      • C:\Windows\debug\WIA\lsass.exe
                                                                        "C:\Windows\debug\WIA\lsass.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1824
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
                                                                          22⤵
                                                                            PID:1504
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:316
                                                                              • C:\Windows\debug\WIA\lsass.exe
                                                                                "C:\Windows\debug\WIA\lsass.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2424
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\lsass.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2932
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2948
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2740
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2816
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2708
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\ELS\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2664
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2728
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1676
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2296
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1604
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:556
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Windows\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2892
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:932
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1152
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2720
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1600
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1780
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1264
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1944
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2040
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2996
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2516
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2432
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2384
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3028
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:916
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2256
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2088
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:616
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2544

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    90731f866602d225484057b1a07deac4

                                    SHA1

                                    4498061d37b155552d0f86a120d7f5ab75114f1e

                                    SHA256

                                    b10df04962e3a83341f771d644315107a2f69c80c581925fc4048513e4bd3bb4

                                    SHA512

                                    33a386851bfc59c56448eb06b5d6e640f794a59fc22053efc5063384cc55221666eea0085c831b048330d18a65920e25c8f31c8ddbc6b1e9bdfd68c419fa57ce

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    cf0e55bca4e7be4d33e9b523a9b4caee

                                    SHA1

                                    ba8a6b316988d679b61d1dfbce5399bf00267745

                                    SHA256

                                    cef77a9ac2b3d9b6218ab749d37f66ccfb9365959b0ce8addfe558c2855456e7

                                    SHA512

                                    b0b7c5419bb7cbfbecd6e6cf97b34d6863ee5fcae587145ec2fe158c9d6b19d596bd5666d43738eae50237c6fe7a65e2c63178bc950580dc13a73210d3238beb

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    0ab551799cde6660da8b97bec40b3db3

                                    SHA1

                                    f6fed4a9f1f22539d32486f47dcc02edaee7b986

                                    SHA256

                                    711a7a78e5b4e5150bcbbd3ad52f4f491165da0d7eaa94fe9b3ce29d56ada085

                                    SHA512

                                    eca6c07ebd9eca09caa4b656884831d94e4317f340d33b5737c55208a04862381eefa4d6aed764f12a832ddd211e6dd10c9855fa4c47891beb9f26d637c4b449

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    656d931e2f6f281dc24fa5bb9d44325f

                                    SHA1

                                    e406a80a3d6deb8f617ac169ac2d397bef34f9e0

                                    SHA256

                                    90e6fd77d823ab9d318ff93b632ed43e5a3c3a6674a8bd2f496db3a9e34c044e

                                    SHA512

                                    d352a73125c73611221d9cac366563d9e442d3ac9d602ed5e454dbdadba60076700e98392248222ccdb693eda98eb925496a4a00901bf545f3aaca466a6c107a

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    a24d8d688d13a9e1e00c1900274167aa

                                    SHA1

                                    41a817a14e35b5c9293a3b2bef21dc0463aa72c5

                                    SHA256

                                    e4669f6dda5190c2427c87ba2ce1ff6311ac20ab9baa3817cc1299e9e0d5c610

                                    SHA512

                                    221c9b3efb9025cd2bb6aa871e43977ad4fcc11dc4170dad430baac38c770cbfcfb0f286a89a2cc74cc6bb9d642e2bb0358be8a4e3a01c1370e66e3965a7a3c9

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    f07c87c01b7df8c4412116356ac68867

                                    SHA1

                                    1b59dadce61f1d792f5f056f968367acfa0920e9

                                    SHA256

                                    3f170e360e3661fd2bc5a20c8e420d9f96a8cace9bf7958b447d2ab2b954846e

                                    SHA512

                                    0f66e21bf5b5535a62642682990b3ecc729ee291d5bc380791da26d304089c81b585904f8495f797ef11ee88019cd86f8833f7043e7fc4f94fc7fdb54d72fae1

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    114cccc6f1de72da1aeaf502a30820c7

                                    SHA1

                                    01669f2205f0db22e4e3b2c615177fa3c5030165

                                    SHA256

                                    087eedb547a52c59559576e3168be85d9fe609f0134c2353e2d41acebd099d1b

                                    SHA512

                                    bddd69d72defade0dd04cbb6b2fd3196fd55a6564afdab76d9f8a298a236f409e40b1f72f06b1d16986c290772dc8432b659b393d636fbc2db84b430835202a6

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    64dbe3ea26814b65d8e9a745bb848b11

                                    SHA1

                                    b914309407e399eb42647141626f25ce81f2d528

                                    SHA256

                                    cebc1805975d21febf055ca08171fa33bc37df7073b56cf1601eedf09499bf12

                                    SHA512

                                    5e39fd58af218d4fbfae9b6ea842c001dd5c86edff2111b02ef984aac17d68f874f22554205fb987b094a430056be0441ec78b23167c2fd2764a60bce6588bd5

                                  • C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

                                    Filesize

                                    195B

                                    MD5

                                    1f6b5b24b71ccc4f668a8917dc9309cd

                                    SHA1

                                    4a6d70c33e318ce53e9735649ed4e9e1cd9126be

                                    SHA256

                                    cb5f772e54b688ba81a1081b5a15b1751cebbb09466d2d2274459e9b1987702e

                                    SHA512

                                    fac923319d8e04a6dfded3262763d9b45430ede8aff9b4be3a47082f1a5d4e19c9d5db9b5c41865cae2a18b727201fa97e61b6a36371ec5f3d178524723906f4

                                  • C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

                                    Filesize

                                    195B

                                    MD5

                                    3f14f59a487431610ed14f060fd42fdd

                                    SHA1

                                    e2118e817c0291cb97ba60b269e75d373bc660f1

                                    SHA256

                                    b4a47a2d66a7542089d8ce84acbda5ca53bce9f6f29d82f897cefa28ef9f03f8

                                    SHA512

                                    95f3732e07eafaeb93ae8010e23b6d699ef1f40e24dc9637444ce16998141b5b332561760e36fb83ddefaf6ef676839652f534bed33a696ea1d4db9058c40ac9

                                  • C:\Users\Admin\AppData\Local\Temp\Cab456.tmp

                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                  • C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

                                    Filesize

                                    195B

                                    MD5

                                    3c6aebbaee8d377f1e386c68c3172547

                                    SHA1

                                    dfbeb1a5027da2c69245b45e3eb37b28694cd882

                                    SHA256

                                    9af504070e6fb95c02f1dc44357f5076ff7e32718d7b7671e58c6672bda5b683

                                    SHA512

                                    8e20bd4c48583f879a9ed34ba461557c3573a987f923502e21dceec7db69f488bc2f0b92f0b76dc6423de4c22d6c0734335c994b55adf94d45df944795577286

                                  • C:\Users\Admin\AppData\Local\Temp\Tar553.tmp

                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                  • C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

                                    Filesize

                                    195B

                                    MD5

                                    134851517af1e4142b1fb78aefaf552b

                                    SHA1

                                    8050eb092498f8d50576406eccde470944e91bcc

                                    SHA256

                                    a825c126a6828a850760ff007c151e579f89c3abf2fea535dae5a5318f05a42c

                                    SHA512

                                    13b588ac2b6e4ab2db77837241e44b7a2a8e92e24c4693cb21ed524ddfc64206a2797decdaf1b938b650351c76d1566af76bfd2fba0662ef92ca5c1cf96653b9

                                  • C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

                                    Filesize

                                    195B

                                    MD5

                                    3f22479399fb8904f5e5ebc83fedf27f

                                    SHA1

                                    8eeb5963969905a29450b6c929cf9ce5b3249f71

                                    SHA256

                                    a9eb6a733e482282f0184909e434d2dcaef56c6412ec4c42af53d3458c064944

                                    SHA512

                                    7108943b62af2e2c28630b0d503fe5f276c34becf2d90ca7ac42aca4ff7dafb597fa56eb386acd87503c0cd990e01f951be03ad25c07bc125bdad80e278c4f60

                                  • C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

                                    Filesize

                                    195B

                                    MD5

                                    1a12570d463d4dbe3237fe131cbf9c9f

                                    SHA1

                                    a2cb65f80a184d7c042148e6d160bf48d889f81c

                                    SHA256

                                    d8eef71421e007143166a0609ef8fdb7aa4994930f7b8452efcd2376b6df3684

                                    SHA512

                                    c313c874e8f1b683dcc38c4888a1d008fd66f4cfe3c090160709f0ad47ab969d4d380682a4c83251a42bf404618d2228ed8ebe352066113a637de643b3eae130

                                  • C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

                                    Filesize

                                    195B

                                    MD5

                                    8b3371150ebe370ff8f979cf338035d1

                                    SHA1

                                    745cb7b645225d66da32f414cc432f92b17c9a17

                                    SHA256

                                    4760186b3322d3950d1acc3d7aadbb23c2b5f2977e022b520459b20a2e994537

                                    SHA512

                                    10aaf05eb2a455bf9c125d8e4d1341cf99970489587ee7f1314caf14c65397b384670bb7e4369de4d7dc629a5a84ffe00c7ced5d0c7cf29c65340aecc416a129

                                  • C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

                                    Filesize

                                    195B

                                    MD5

                                    5f12efd5dafa1daf5e2846aebef9b4a6

                                    SHA1

                                    d9ca620f63c2a5ca6ef33ad716e88f4f1077b11e

                                    SHA256

                                    2faffaf5b5db9479c8c23e282a389236f86bb38deae5296d725c1e0d2238c82b

                                    SHA512

                                    ccad081860145104613202d6624ff716b0afc495f3b0bed02cc1d530fe7a6b0f886c54ba03e919fff7980fe78bfd9d496b2c8c480d1f829d9a2a36890dd1f0d8

                                  • C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

                                    Filesize

                                    195B

                                    MD5

                                    6404601e72380ee7457230d018b43f55

                                    SHA1

                                    7802deaad8e6e5f8c86c8d832fb4499a6e4cb51a

                                    SHA256

                                    6a75bbf06f0f8cdd885c23efc0ba3b1b277aa2e1fdccc5b4188a3891cf3bc263

                                    SHA512

                                    c560be0c1f5adfa22c6e15d52fbb37705c5103980e3eda8ecde974fb79a60e6f1a30da67da33d2889718d09a8a330d20fffd76acb859bd1ba19ad3c4aebd804d

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    c2dc57e472d9c0dd30cde85ed5a3fec4

                                    SHA1

                                    7d381958fc2efbf6d29b51aeb7a39def3fed13a6

                                    SHA256

                                    90b4f32822fdc66abfe5b1038b5772c675a6dc4e8f1ef8714c65b7a74d394a22

                                    SHA512

                                    fe2bedffb5866a807ec116afb1f1f62d748b17fb50a6cb483120d0566dd185f215de8c768cdc379a8a50346ddfaea5b0ac1636c76230f68c04e8d3d9ebd33511

                                  • C:\providercommon\1zu9dW.bat

                                    Filesize

                                    36B

                                    MD5

                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                    SHA1

                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                    SHA256

                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                    SHA512

                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                    Filesize

                                    197B

                                    MD5

                                    8088241160261560a02c84025d107592

                                    SHA1

                                    083121f7027557570994c9fc211df61730455bb5

                                    SHA256

                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                    SHA512

                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                  • \providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • memory/800-100-0x0000000002510000-0x0000000002518000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/1236-220-0x0000000000920000-0x0000000000A30000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1732-73-0x0000000000290000-0x00000000003A0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1824-578-0x0000000000320000-0x0000000000430000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1888-458-0x0000000000350000-0x0000000000460000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1976-280-0x0000000001300000-0x0000000001410000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2028-160-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2028-159-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2424-638-0x0000000001180000-0x0000000001290000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2480-17-0x0000000000360000-0x000000000036C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2480-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2480-16-0x0000000000350000-0x000000000035C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2480-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2480-14-0x0000000000340000-0x0000000000352000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2836-518-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/3000-99-0x000000001B340000-0x000000001B622000-memory.dmp

                                    Filesize

                                    2.9MB