Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:48

General

  • Target

    JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe

  • Size

    1.3MB

  • MD5

    cbde1ed5235d32fcab680dc8016f11a0

  • SHA1

    fa4eff8f5657b0e1fbe9ba397003b6867483d0f0

  • SHA256

    9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f

  • SHA512

    2d0018663c97093032564ab8d7ab3d49335901943d04287247d2dcd9a5afca3a055581daf295f8f128cf966964b06ef32113421837968db3cf381e7f54773fe9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dbc25a9ac31a1ae014b8af5d0d8a34a1f6ac29a292f8baad2883a898980e29f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\Users\Default User\csrss.exe
            "C:\Users\Default User\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1428
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1616
                • C:\Users\Default User\csrss.exe
                  "C:\Users\Default User\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2688
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2636
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1164
                      • C:\Users\Default User\csrss.exe
                        "C:\Users\Default User\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3000
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
                          10⤵
                            PID:1488
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:1440
                              • C:\Users\Default User\csrss.exe
                                "C:\Users\Default User\csrss.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1956
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
                                  12⤵
                                    PID:372
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2144
                                      • C:\Users\Default User\csrss.exe
                                        "C:\Users\Default User\csrss.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1724
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
                                          14⤵
                                            PID:624
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:392
                                              • C:\Users\Default User\csrss.exe
                                                "C:\Users\Default User\csrss.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2584
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
                                                  16⤵
                                                    PID:1552
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1072
                                                      • C:\Users\Default User\csrss.exe
                                                        "C:\Users\Default User\csrss.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:324
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
                                                          18⤵
                                                            PID:2168
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1716
                                                              • C:\Users\Default User\csrss.exe
                                                                "C:\Users\Default User\csrss.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1244
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
                                                                  20⤵
                                                                    PID:2284
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:640
                                                                      • C:\Users\Default User\csrss.exe
                                                                        "C:\Users\Default User\csrss.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2700
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                                                          22⤵
                                                                            PID:1356
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2620
                                                                              • C:\Users\Default User\csrss.exe
                                                                                "C:\Users\Default User\csrss.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1140
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
                                                                                  24⤵
                                                                                    PID:1680
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2852
                                                                                      • C:\Users\Default User\csrss.exe
                                                                                        "C:\Users\Default User\csrss.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1348
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2592
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2636
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2732
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2992
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2060
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:372
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1624
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1524
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1248
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:664
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2852
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1144
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1600
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1136
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:480
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:572
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2544
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2284
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2452
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:540

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        4870d465b5f30a56fed4d5a5e87aa9ca

                                        SHA1

                                        ab7e1d884841a76cd988d625430de31377378702

                                        SHA256

                                        024fd57392472110f7ae320c8efc7f59e4484f7fa3400415a51df81f368d3be1

                                        SHA512

                                        d8f9afbf706db4aee2fa6d208b9251cee397d210a06c3a01dd851aaf72b2839136128cc2b7a2ec63cf30852a65259aa4075ce7e879abd03249b940e7d58daa7c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        3708cccfe8d57fe1d6de39880c546e83

                                        SHA1

                                        8edbd51096cba8c011cb57f0044817716a8a30dd

                                        SHA256

                                        4824d053a4207e9b7ce61eea514fdfe6b655c480df8b6f4a836b7cd1a4bed54e

                                        SHA512

                                        a5c6c7c67480b04bdf79d9fd8a56675a02a1c2e659e1e30d202ece4eda400f3449839bb27ea6565245c12f5ca8ad0a06d233cbf41cdda434ed65ffec21892dbd

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        0da5fb0530aa4d527523d0b822e8bff8

                                        SHA1

                                        2c1b036b625145d1a80d2fa29fdf0ecf0ca5e3fd

                                        SHA256

                                        9532d9798c85eeec859a885f08ab114f204d10bad024b4a5b4dec809289489d9

                                        SHA512

                                        f4883a6f8165a5ec29c3c7bd93538e525d09329f513b479cdafd5bac2bc190f0e78d01aa5029a878eca6d57bffb28b4516fc2464ada8390e672f20f50000f5bb

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        4c032d768ab00419f5f4a6d0346a8faf

                                        SHA1

                                        7ff9a750761466ca44e866c51940a0800c8322b5

                                        SHA256

                                        7c038e87a3c450298c8f53517d0fef66912156bae3ba6fbe14856d8518242967

                                        SHA512

                                        10a6a16ed9d77120a329649fc16c63de0fc811768510591a8742d4d0499e885e1eea266794b5c6035b7c28aafe65e14b5df94346ddd946c5200340d231850f89

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c7a23f786bb3f67be3a4d26749a820be

                                        SHA1

                                        0411aba32c918429d9d57db233f2c83f4cee530d

                                        SHA256

                                        2bff7e51712999894db552716c8e7a89a186cf3f93a65e12901a6daf42497e90

                                        SHA512

                                        c4af3b0c14afbaeb3c832c94a8d77cffe60e126c699cdfa191349c97d2cdbc69ef08420d066df0a6e22bf997e1435242cf4f8bdd5c267aab80fda09b00b3fe34

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        a8469c2cf3d03c76ae4ee748bc03a8fa

                                        SHA1

                                        00c14db11f06c68597f5fa5fa3eebd29c11fb12a

                                        SHA256

                                        f4084ae13b678f7ad66f577b5eaee8bab025f0681533d8a73f2529579c68d355

                                        SHA512

                                        ba86241c679a2323cd837abcd867b09f6e67390657e45501ac0a9c49ce5dfe8b787e75aadf669eb141425188922f58f83b4fbca7ae327d2bb9ec67c0a4a0b076

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        557f0bdbe9436be338a1e738be4a0ebe

                                        SHA1

                                        a8a83cd4d183e81c346347a5b44a9ffc8696b582

                                        SHA256

                                        a836399e4b3d85f50f7e616c2140f4abbb1d71b45fbe993a26a139bbf45bd672

                                        SHA512

                                        74b6fd822bc16b8c3b0c4334536f8643b2c37a86f483748d75831d3018e62edeafc7d2488c1f1c51c2c7db854864e1f4f3a05b85f72dc9f444b4cc50ff7a006d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        79346e1123d3a902267bfc9dc1cd0541

                                        SHA1

                                        1b6193ad3c99a6d4f443b61e3ff9060f4de46aba

                                        SHA256

                                        e4e159abc60c1a7ad63eda424693602325a8d96d8ca31fc4797717837408bbdf

                                        SHA512

                                        9a51124bc272185330dce6dbf84b26b0ec40d11d1df79d65d5a1acae8582f8db3964be8a75cb7d18c89982f77b7e2612a89de83e36361106d922b22fb93611e1

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        80c7c2c77adc0d7b86620fb5a6b8e352

                                        SHA1

                                        4bf7f7ac253068701fb6e21ed9004e56f332f7c8

                                        SHA256

                                        9aee9acf4879d29dea20db4987366295e06bfbef65756fca1e391c33993f10f6

                                        SHA512

                                        a6a3f04e4a1a9662dc427efcc91a7bdadd4b8a6fba4b14147b4aaad401fb134a7f026e0eb8cc0d5127b4df1b48d577c44ea3059b08c1430308b25a2a909fc614

                                      • C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

                                        Filesize

                                        196B

                                        MD5

                                        db51a13e8026478aef0e44dc95b17b23

                                        SHA1

                                        e49b81e22dc4c70f85eeeb4267782e3d7cbac295

                                        SHA256

                                        220cd46fefc8343dd6ffa35545b6ce28a58710eca52cc9706e07e4b3107b3b61

                                        SHA512

                                        4263bae9581d258f25a63bc0bb13852e6eea223738d345afe85c92e43bc3398509f3f4dcc2b2161b116a5394e2c27a6cc4c31debcd405a9d0c700af732a86bc7

                                      • C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

                                        Filesize

                                        196B

                                        MD5

                                        af2055312bb7a2cc59a3cc1d5c17ddc4

                                        SHA1

                                        6ffe297aebd07ef97748f133f26f347ff8a5b505

                                        SHA256

                                        360e3ab10c479a62d2d167a16669a0d2fe66f56b6f47f998e7cf3f1fac4d739c

                                        SHA512

                                        d3e73435d32aa5895c7d783b9695c318bfe9be864bf9e44855b2a91cd76dc96cbf2d7b1cc2d740e4967ea56975cf24524e9182727cf34e634edac48c0be37253

                                      • C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

                                        Filesize

                                        196B

                                        MD5

                                        9409f274a80f55eb382668ba388932f2

                                        SHA1

                                        9de03145add593b89f12be385dd4d9be99912048

                                        SHA256

                                        5bb868a9a7dd6faae786ebe812de8218e80d1761877d48b877b32ca14af070a8

                                        SHA512

                                        22b46f62468cc4400194bc3896a4819c2ae68956f0df3cbc16d6c84e264ec748d7f9a66324c6c4ed5f94e3fcfb3897bac576da8aa89bd066666a796b34cbe327

                                      • C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

                                        Filesize

                                        196B

                                        MD5

                                        299605d4bb3883ce955487f2c97a3b87

                                        SHA1

                                        c85c72e3b44ea82b1c285a4c500c156ba73a62f6

                                        SHA256

                                        d5a61f563308d9a3f7852e3f4f858ef23764c1324794691f222548f481c031b1

                                        SHA512

                                        07831c4a08a449579e167dab7ddf84ad4f9639caa2edb493aa7b10d89b16616a6ae54bbd4e2d981542cc3ac016f47f46de82631114c774de2dcd75ff568b855e

                                      • C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

                                        Filesize

                                        196B

                                        MD5

                                        b3d39d835c43ec73324ad9750764840f

                                        SHA1

                                        c40aa500bd16403ddc5eb0fd56cf1c3e9bf0c231

                                        SHA256

                                        ad6307923d88ae020ea4781b4eda660397bd758c6832e356ffa4d325ed61421c

                                        SHA512

                                        060421d20006caccddcf3b467245cfe688537d0c7cde3ac592648fad92bc733c2048e8b316dd6cd4eb5bc9304cca6e399054ff52e68606d1da4d4c95ccff58aa

                                      • C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

                                        Filesize

                                        196B

                                        MD5

                                        d9bed7acbc6e11c80324a50a985ac8ea

                                        SHA1

                                        9f424efcfc5955cd9743613a9f95facf809b16a7

                                        SHA256

                                        878d44ddfdc24d21f949d5a4d28cf888d8731ccaf2c239633a28ca5d48c6de6a

                                        SHA512

                                        82d7cec09ded19067cb2e4953c4f45b56ac4fc51b704d43ec7c42d7a72c3ed5d6448bd8eb4f63592dc22facb9bd38b53122d0b8f36d44ab33a111288cd13d3f8

                                      • C:\Users\Admin\AppData\Local\Temp\CabC65D.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

                                        Filesize

                                        196B

                                        MD5

                                        bdb33891fef6a64d602d5f21d94bcdc5

                                        SHA1

                                        309b1f1e7ead93d57d87ca9a014e4c97e2652237

                                        SHA256

                                        038e0d7e2b51f43ead90b564a5a9dd6abb75885a3b5ef7bae9250ff0532cf725

                                        SHA512

                                        9355323929bce2ac85c28101f00313c057dd2e825ab95c076cf8b11e7714de4485b6c7474d979f0751474340ecbfb72bd6bd8d6641430c4f55abbeae284c2512

                                      • C:\Users\Admin\AppData\Local\Temp\TarC670.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                        Filesize

                                        196B

                                        MD5

                                        13fcf4a3521448cc0545319f477c81a1

                                        SHA1

                                        2f7c85b9af3041ac5099172ca196c3c3f00b0986

                                        SHA256

                                        554379f7a9a4493a631824075480fc7d04e5570706518dbeef012a8f032d6d73

                                        SHA512

                                        a83fa8ea041b604ce220365d82f907f288605d15c524d1c64bec9708f1e4173b4250c97a00183db54f7f366eb69202efa1af762454e7f6b06b1d5a527a171965

                                      • C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

                                        Filesize

                                        196B

                                        MD5

                                        3cde5d2720da3f44326eee0a491b9ecb

                                        SHA1

                                        c7ec066fe120201680d6a4fcf7ddeb1b42ca3c33

                                        SHA256

                                        a809f77fcd7451a89806ef8e1c2164a560ce7934f60739e22abd9ce7b6212148

                                        SHA512

                                        425a914b030c60b7ce37a78e0b74033147fa5a7af9ba32aa2fb1e5d6060dd2e85999e3fcb526084b4b89fef95e70ac2e6cacef887ba9d3fc61e48ae8e15bd8d6

                                      • C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

                                        Filesize

                                        196B

                                        MD5

                                        4a21ecf2e34d5a36f687f37efa3de075

                                        SHA1

                                        8296e369062653b731f807dcc4459aaa5e6d2a9b

                                        SHA256

                                        a6ddb568dd8233d4b39d65d1ba125ad75069ff6699be71e319350907fce1ad0d

                                        SHA512

                                        ceb4e5bec4cd83a45fb9ccfce76b014e63eeba7b29704785f31ff4973e0f745cf6af173544c98c63073f6bbd3cba8dd4b2b81cfda17d8574da33ec97d291fd5e

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        fcabe71e66273b3a36d05fcf5db63225

                                        SHA1

                                        df4944eb5c38239c399f6673465c4dbbf92d786a

                                        SHA256

                                        e3922f991ab924af19617b48fb3646426cbb852cfba64d2e568c0b58a94e5d18

                                        SHA512

                                        49b8c17724099193ddd8d965afdfeff4d187ec0d2b2c1784ded8e7ea9bd1d1e4bf48554f83b9f11f9345fa4afad1af6bbacc69f86875ba5f60f264681c96128a

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/324-453-0x0000000001320000-0x0000000001430000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/404-53-0x0000000001F70000-0x0000000001F78000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/404-49-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/1140-633-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1348-693-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1724-333-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1724-332-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1724-44-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1956-272-0x0000000000050000-0x0000000000160000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2584-393-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2692-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2692-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2692-17-0x0000000000600000-0x000000000060C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2692-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2692-13-0x0000000000380000-0x0000000000490000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2700-573-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2700-572-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3000-212-0x0000000000F00000-0x0000000001010000-memory.dmp

                                        Filesize

                                        1.1MB