Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:31

General

  • Target

    JaffaCakes118_35fa3d6ff735a17a27296b9da33f90e7ed44a36d6ede5c95b2388819b264a912.exe

  • Size

    1.3MB

  • MD5

    4458307ad25e7a300d8493deceb064f1

  • SHA1

    f78729052984cfb851b7785f890a0004ce8076c2

  • SHA256

    35fa3d6ff735a17a27296b9da33f90e7ed44a36d6ede5c95b2388819b264a912

  • SHA512

    d67fc49abcb7f7cb5018680d70af05154e48082ccf503fffee6a10fc25ad0c6b7e77d7837151326e61ce6f9052445014973755e3344395fdb188118b46bb2aac

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35fa3d6ff735a17a27296b9da33f90e7ed44a36d6ede5c95b2388819b264a912.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35fa3d6ff735a17a27296b9da33f90e7ed44a36d6ede5c95b2388819b264a912.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\es-ES\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-US\Link\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\89RR0iqaMb.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1576
              • C:\providercommon\Idle.exe
                "C:\providercommon\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1096
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2816
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2776
                    • C:\providercommon\Idle.exe
                      "C:\providercommon\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2532
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
                        9⤵
                          PID:2780
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2832
                            • C:\providercommon\Idle.exe
                              "C:\providercommon\Idle.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1044
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"
                                11⤵
                                  PID:2568
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1304
                                    • C:\providercommon\Idle.exe
                                      "C:\providercommon\Idle.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1292
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
                                        13⤵
                                          PID:2188
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2064
                                            • C:\providercommon\Idle.exe
                                              "C:\providercommon\Idle.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:332
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
                                                15⤵
                                                  PID:3032
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2440
                                                    • C:\providercommon\Idle.exe
                                                      "C:\providercommon\Idle.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1848
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
                                                        17⤵
                                                          PID:884
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1400
                                                            • C:\providercommon\Idle.exe
                                                              "C:\providercommon\Idle.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2456
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
                                                                19⤵
                                                                  PID:2292
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2468
                                                                    • C:\providercommon\Idle.exe
                                                                      "C:\providercommon\Idle.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2876
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
                                                                        21⤵
                                                                          PID:660
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:956
                                                                            • C:\providercommon\Idle.exe
                                                                              "C:\providercommon\Idle.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2104
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2608
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2592
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2780
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1660
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2100
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2352
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1916
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1136
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2320
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3048
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3044
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2064
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1532
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2972
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\MCT\MCT-US\Link\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2016
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-US\Link\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2540
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\MCT\MCT-US\Link\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2900
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2348
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1804
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1536
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2424
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2272
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2260
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2404
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2428
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2080
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:848
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:952

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    40893e213daec9c10d097b2b35175363

                                    SHA1

                                    aacd4d23041afd63e4bc07d401967313c178e90c

                                    SHA256

                                    e1ee19f33e90e91b6adae012f517ab4182d514e1696d4f7b75a9a03dcee278e7

                                    SHA512

                                    1c9c5ecaebb04f93d4f61c73b894b9f1778b661f21b8103827e204d39d4bdb0ebeaecf6be69c6e573d2c43981454f400e356e11d720f7f91d278211fbd38d4f9

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    fa416fd3ea5a33b49c1eeda23351cb4b

                                    SHA1

                                    92748dc18970a6b25e158d960da15ba582d47774

                                    SHA256

                                    33805d52a4cc673149440b18a1c02e5f904586228993934202eea88743f1ebac

                                    SHA512

                                    e7cdfafeb5feb74991cab47c848befc0c5029365d34c8fc74341a54bd5b99258cf32dd8168d5cd16bc1777b32ebeb415a1ce3794088b010e070cc80bfedc679f

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    315c49c41adeb0e200c465588f534a9a

                                    SHA1

                                    cf6272e43119ae19b892817bdb77fe30e1ba92ed

                                    SHA256

                                    3db4d387ffec145dd0cfb9d2781fbdf220dde931a3d0a497bf175aca19c44df3

                                    SHA512

                                    48c218b924f605116fe00427d5e6ac343c2f0f227c0cfd70fa54772cf89bd3fe70090ec807c5325eae8f00f8d763862f752d900bff137a68f5e4f0f57ca72ec1

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    d9d09366899968a8ae6ca63eb405cc7d

                                    SHA1

                                    f7be2c44efeb16ea6a574d031e8a162261e52738

                                    SHA256

                                    eb20579f45b352c819364b14a772805dfb024323829bc87ef0f8f273ce5fe750

                                    SHA512

                                    118e39f33edfbbd70cd19e80a33e07ca58c4a3f93eac21988e5db26bedb445c6b92b1343bce980e01bd5d54b3985698fa762eab81b1a46c9751fb2750056d9aa

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    6b1aebafda0b4f923eb3c7b8c99628c4

                                    SHA1

                                    6a869140287afc8cef7224b9074499d6a6f244f7

                                    SHA256

                                    6149e50e1b4c993084e817f52a0d59f4246b38a1b0ff5b682080e018f40e1ae1

                                    SHA512

                                    756b141a0f55257ccf6a425f341ce2af622e1d497e33391a231834d979bf21ef5e5b798f95e266ae6b8cbe1e2b0a96d181e1f803ddb1c3e3133ae1c3dff0e9e5

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    8c0adf540900ef5a7516c5367e952a1c

                                    SHA1

                                    ba6ea09ec1cceb144daf5bab674052b635cfaf1e

                                    SHA256

                                    464650818a4056aca8f11785e21024491cad8c01027d7f63f0314b1911e8d8b7

                                    SHA512

                                    83f514331cc3bbaa6975c5c64a03370a993bc35a1d8c4e761d6c04afda4832a92d08e43fc24bb9a89332dda7f3b550a6693c990dd77a598817c0b1b68d42016b

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    63750cf7791dfe212ef68790af953a90

                                    SHA1

                                    14dd8ced8c1942a1ed9fd095289be15f573a2a1f

                                    SHA256

                                    35435b5f17344cefc5f05712b2045385f7e1b540cf27571fc34ef36fccc03430

                                    SHA512

                                    fa8519f1aa69da431e0d59ec34a6dc88b32b3f744f7a0f358acbabc9e0c2233708cb4f55b78b5b6fdf8e33e37e27893c5df7edb52c9f738e0aa62031d0c6e98d

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                    Filesize

                                    342B

                                    MD5

                                    b04d1aa50e3677b3ac157e9ea09450f8

                                    SHA1

                                    1ed9fc0d3956f0b372a486d17464bc6737e2c6b7

                                    SHA256

                                    fbb634b879d15bb7871fbacd6c3291f905f78a83f5cd0eba6ce3ea999f814f7e

                                    SHA512

                                    e4959b1ed5cd6fe5614350220df84a69f96d168248b81139bf09e3d8ffbddbf9f9500e09eeac49c1d5586993e87af80d106317cd17d86781523d876eab9c4156

                                  • C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat

                                    Filesize

                                    191B

                                    MD5

                                    d8ba1f0ab09037707c85f65baee01bcb

                                    SHA1

                                    d57c412e00daf32a8a0b389cceca9fb0648d3bc5

                                    SHA256

                                    f929d60da0afce9e8df3991d7227ac6ea23509f6d58df735e696b5526884c45f

                                    SHA512

                                    dc780383d71059248804de076378867df49340039fbc3fc6aa08375665acd843310cc2d8511eaa68e15b2e4e41e05c8239904e488d3f9b1f229e3b08d49ccb86

                                  • C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

                                    Filesize

                                    191B

                                    MD5

                                    315faedf98292c72300c559e2c0ad0fd

                                    SHA1

                                    88cf1b59a00d42140a45debc992537e146c4d590

                                    SHA256

                                    e907aa06262a69cf0a56116c4f43cb6bfd34819874c241e08a16cf2b7dd476e9

                                    SHA512

                                    8b12db2b247dafe4337b6e90aad299cd04f746c8c953f54c447ccebb774ea73f94512f0bd0c1e63783b91e34c35fbb0fd7336a3fb064b852fa5fc10ce75ca345

                                  • C:\Users\Admin\AppData\Local\Temp\89RR0iqaMb.bat

                                    Filesize

                                    191B

                                    MD5

                                    a366d3de4af1b50b53bcf22bfa519bb8

                                    SHA1

                                    533bd511fbab7ddc01b8a2a758ee824adbfa04f6

                                    SHA256

                                    7967e2a937817ed80df9bac2496f37646ea839b2bb4c1363148f6b459b459711

                                    SHA512

                                    6f153db20fb29fb951c132f2f67fc46ae40658244696a601926ab2aae61897f91aaa0557442737b82f173777bf2329d7ef1614af327e4bd28f06d60709da2c02

                                  • C:\Users\Admin\AppData\Local\Temp\CabA1CD.tmp

                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                  • C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

                                    Filesize

                                    191B

                                    MD5

                                    8ac77212b7ca1da79b6c2254b23e730b

                                    SHA1

                                    3a839d66ba6ad2485ca3ce0ae2215b12d3802451

                                    SHA256

                                    844e5d51605edd89c9a0a4a8cbbb257bb507a847e37537291ff30560bcd69751

                                    SHA512

                                    fa902bd655588c0a8e4f66fbb6eaafa4d8f7d57b285171c0bdb0ee43b5fd62311040ca2ed4fda968203a6f27657be5361f8c93fbc5eb8b75e61a56c9204ff33d

                                  • C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

                                    Filesize

                                    191B

                                    MD5

                                    67b8c4d0fee7e795fea5e6701446c5d7

                                    SHA1

                                    0938b4f05bf6b118cafcc31a6d0a6789d5e7b94d

                                    SHA256

                                    36eb0fa393a6e2a4b05fa42f344f8f7cd5aade93fdc4ae7694d3d664b87ca22d

                                    SHA512

                                    7e41b8c8c44ba339e8574898ca9393c92e129dfa5d5a9698fed6c908527419e6ef0d59566f7781ca209b603b5f0d2de42f6750c44ec3c9cd4819cba5983de896

                                  • C:\Users\Admin\AppData\Local\Temp\TarA1FF.tmp

                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                  • C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

                                    Filesize

                                    191B

                                    MD5

                                    8e8a8705fc732843cdfe7af310315b45

                                    SHA1

                                    f3b97918c921a5f1e7f29c9acb79b3c0834d55f5

                                    SHA256

                                    13e6779ba9ade9a1aa60fc3e8bbc7ddd10184d9d99a2ae8a0112eeced9114716

                                    SHA512

                                    56b07d126158e336a4dde25ab8c23c5d786e007cae834295f9c2b1d31532fba24516435d9ec78c3f999299e3ab30ecd3e2f7732d73510a1d6b754564b28729da

                                  • C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

                                    Filesize

                                    191B

                                    MD5

                                    86bce818977f4c319510819b66f85fe5

                                    SHA1

                                    c7249610adbf17d9bede92b5b80788e08f650ac2

                                    SHA256

                                    1d71db2b9230f169d264233e68db672bbba4f52bcf745e2276a4129d818bafba

                                    SHA512

                                    9e38a86f6a788576ef39303d68946389e0e036c12ea2aa0370b86df708be290b333d593ad2ab54e1f5673776db9c1217ae660eba5ff3ed8b9253934416da0582

                                  • C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

                                    Filesize

                                    191B

                                    MD5

                                    a5ba7bde9c8a03fe5b0703f6cd6f7baa

                                    SHA1

                                    8c9e703ec6e987831eae5e30349d961abf04c350

                                    SHA256

                                    b9325d404eca02d64a65cdd1a60fa3dfa092ef67f04fdb0cba3b57bd175705ca

                                    SHA512

                                    23810943efe56bad63236198f1d8941b658c3a7f21f9fc7ab566335f0c6263e4a2bc0d386e23b03cd9b9e9ada315280ff9ce31f7abc92494709a07bcc178799b

                                  • C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

                                    Filesize

                                    191B

                                    MD5

                                    761fd5615db1d1563594a5591d1e3488

                                    SHA1

                                    3ab7234fe3f0ba53d029e67b6dea673e1926ca16

                                    SHA256

                                    38304b9774c7f9916bf7aa5f5eda72819d28f0bc7011284a73e5cd690baf6a6a

                                    SHA512

                                    127c4eae9a022048f38b1a5cb63151396aedc969302ededbb058a9de349b49d7aaf7c195ac7eb967a22f65840138c347c066f51c4b4f85d5c206ae15cc51542b

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                    Filesize

                                    7KB

                                    MD5

                                    a604f6471c772f3beab77ee9e930eff6

                                    SHA1

                                    c080d789e95e93a19600b7c03b3ea0db3b7b8145

                                    SHA256

                                    ca06185f36545174db20740dd4fb413cb98af98d1077cdc453f3d7cea1af582d

                                    SHA512

                                    9a4b81f7563c5a915659e9d2760bf73ee1faf0811686cc1e591e5a46bf002b1eff3445e56f138ab5b0eef681393d11a3c5923cd1aaa45fcfb8b973c04605eba7

                                  • C:\providercommon\1zu9dW.bat

                                    Filesize

                                    36B

                                    MD5

                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                    SHA1

                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                    SHA256

                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                    SHA512

                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                    Filesize

                                    197B

                                    MD5

                                    8088241160261560a02c84025d107592

                                    SHA1

                                    083121f7027557570994c9fc211df61730455bb5

                                    SHA256

                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                    SHA512

                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                  • \providercommon\DllCommonsvc.exe

                                    Filesize

                                    1.0MB

                                    MD5

                                    bd31e94b4143c4ce49c17d3af46bcad0

                                    SHA1

                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                    SHA256

                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                    SHA512

                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                  • memory/388-54-0x000000001B2A0000-0x000000001B582000-memory.dmp

                                    Filesize

                                    2.9MB

                                  • memory/388-84-0x0000000002380000-0x0000000002388000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/1096-93-0x0000000000440000-0x0000000000452000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1096-92-0x0000000000F90000-0x00000000010A0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1292-270-0x0000000001150000-0x0000000001260000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/1848-390-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/1848-389-0x00000000011E0000-0x00000000012F0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2104-570-0x0000000001070000-0x0000000001180000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2104-571-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2456-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

                                    Filesize

                                    72KB

                                  • memory/2456-450-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2456-13-0x0000000000F70000-0x0000000001080000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2456-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2456-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2456-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

                                    Filesize

                                    48KB

                                  • memory/2876-510-0x0000000000B70000-0x0000000000C80000-memory.dmp

                                    Filesize

                                    1.1MB