Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:01

General

  • Target

    JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe

  • Size

    1.3MB

  • MD5

    e646f9464557838393e0637065e0c1fa

  • SHA1

    09eacb5b59064dd42b3e241959fa55a9ad2f2f90

  • SHA256

    5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953

  • SHA512

    a597866b73f46dbcc0f34880d2e0f96cac19c482d0fa3cc14a49bd3344feadb0db3dc30ec55a574790c495ad23292399b8077f1dfa1d290f6f3472a8b8118620

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e3d224eaacd3dc4249cbc75f7e795b0332c8cb328515963413483a85a19f953.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2520
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2652
                • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:624
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:844
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:316
                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2620
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
                          10⤵
                            PID:1992
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:1600
                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2996
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
                                  12⤵
                                    PID:2752
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2540
                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2212
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
                                          14⤵
                                            PID:1952
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1288
                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1972
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
                                                  16⤵
                                                    PID:2400
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:940
                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2204
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
                                                          18⤵
                                                            PID:2816
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2068
                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2024
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
                                                                  20⤵
                                                                    PID:968
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1560
                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2988
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
                                                                          22⤵
                                                                            PID:1528
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2992
                                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1584
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
                                                                                  24⤵
                                                                                    PID:1768
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:1708
                                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2840
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2744
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2856
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2596
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2652
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2860
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1676
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:296
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:888
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1444
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:752
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2636
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1144
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2988

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        83b6026bf6f159d7c6cce276533f8818

                                        SHA1

                                        a72bb4ec711276eff25eee7039014577fa8a9f5a

                                        SHA256

                                        dbf1be1ba42d843f87b389bb4571545c7310252323888a0666e5bb3792495326

                                        SHA512

                                        919c2f6e3bb30c580b8b21d1122dd04353854b05c05f4f170de1d9ac63e24b9c47a7dcb3467ed6da81f2a62c985142c661abe9e94f22e36abfecaaf22e0d73f0

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        a52102987e358c614e869426a930222b

                                        SHA1

                                        9131d95522f6d0b3b7f651dce9661b0494a1f94a

                                        SHA256

                                        a3470149c1f418fd0c2df3f9420fb3fbc40f73c6e29748b0b4e9649101905ae5

                                        SHA512

                                        cf54d6199157975e55b8e1a0215ea01d9a9045c1c139bc072085133c814db6ea4c6d64bb19ca9bc8229347409c0a5112b1a0b7b69d3336b6a4be005b9b09f92f

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        d2d6bcf8b7dac36645ce6d9c075cb018

                                        SHA1

                                        a526852df21b9202c2ece98fc30f28bb00fc52a8

                                        SHA256

                                        84e74b6ef992cf6781024b2d585b5551a7c7ca05641f8e2be660a4d78d4cbed3

                                        SHA512

                                        568a7a783e5e1ee9018ddeb5b35784941cf1e44fbfb31045236971ceb8d3f4147f82479bd9c79765069496d882c9b0797df89aaca959ac9b0b01d5b41d1cd171

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        3cc1b88b046b50fedca82fb1d66dc5c4

                                        SHA1

                                        f42bc4ef6c98400ff323a09a35a23e1af7292455

                                        SHA256

                                        0ffd8c0f92bf59b08b842fda0303a8c13e9baee2e41204e128e7a17f81e86cff

                                        SHA512

                                        f914f1ae03322c0626a62af71195da70566180ada93a8878d07aaa21c2d5ca8b8f3a22e628fafb9a2372bacc39bce13e0ea2c6ff946789439521e4b43b32d6df

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        aee2c720e8ea281e20093afd3f2b60b0

                                        SHA1

                                        fc8fce345f726254d09ad642c42aa66f46483c9e

                                        SHA256

                                        863102b66fc3269c2048e06ab000a1941e2ded7d25be22fed1aa049734b07d81

                                        SHA512

                                        14e184ecf0b027a39d85f50f27823560acf24bc79e4e50193cd54c5a764405227166cc6b2759f6e71b35bd579e1a44f533a3d4a33dc744c472b5977544a1d1ef

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e88339de54dccbf44b8f1624f54a87ab

                                        SHA1

                                        2ec84e84b4b963f93276c44efc6c30ae30e69fea

                                        SHA256

                                        c648fd8f1e6878deb3f1370a5aa51e175528e5532b444169aa2c6468a01a32ab

                                        SHA512

                                        1a588fe47a2adb98088b10f24cb3733b4da672fc7110bd77fba3d6b28b07f732a4f1d63d8d654b6f989ac7ca493ba6acb838c4d3e0d301d644683f2a818f363b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        522063af94e8bbc16389e98286db7ab1

                                        SHA1

                                        1b229fdf3fc0936f9a8d7311fa889f536b7e535a

                                        SHA256

                                        36a71d4cc76cbe7214396c2ab23973b21cb609a7593c26d05a1576d401f1d1ff

                                        SHA512

                                        bb63ebfc4eeba135dd23bfdce9a7b17bfbfdcb7040ecae99d658fe52550d526e289b2b690148dbcfa2b328c9e4f91ace4f843b611341d452e41c0bc23c94e677

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        a4808cf80ce627727f4d992b0f22c3ac

                                        SHA1

                                        e849468ffd706899a31041a9d8b38844f10c1987

                                        SHA256

                                        7558134540f041059adc7b16eaf53596f22bab75da23d880dadd242e86aa4a85

                                        SHA512

                                        f217e963f963f4c7063803cb08ac72f1198d553e9129f90a23725ecff19dd77c794073b902c6be42640d44d01a6cf19e8f667c44c2b64634f7cdb5f5c1ec7d56

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        f84768cf5627f9c5f02d2caed3b01f06

                                        SHA1

                                        f7dd8257c3a7b621732182d7b483e77980b98089

                                        SHA256

                                        bcf8d262ac51b7633651c00040236440010497d9b52a5d0bf068117836db9ce1

                                        SHA512

                                        95ca7423d844a8b013fe968d1a399661ef1efd50c0356aa8de80e0fbf69f8ae122fbb3c7b938b05e96035af6af81380c860e16258b388ac6af95303af81947d0

                                      • C:\Users\Admin\AppData\Local\Temp\CabF588.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

                                        Filesize

                                        240B

                                        MD5

                                        fd0be3c3899ebe95a1203ba35f5db1da

                                        SHA1

                                        9a7c38566b207cffd503990771eb9aaefa3435d1

                                        SHA256

                                        6ce2a42d2c32053143ead159a52c994ba876e71c1c588f9b7a0d1d679b423e29

                                        SHA512

                                        f262160543b046b6d6d5393f171b63030fa6226728175c2e2c31744185cd2533b922c27d7ee6a460925ca870d61844df24a9b29192a06c65f7001b1bf8bb8be1

                                      • C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

                                        Filesize

                                        240B

                                        MD5

                                        548bf34ea88f59d95d28e0df9cadc7af

                                        SHA1

                                        c406e5d343b92a99ba14d0b19af36f836399cea1

                                        SHA256

                                        4b58b126a4cbc153ac1ac2c8d71f320ce8f5b68a15b3b464d92065adfde0bac1

                                        SHA512

                                        589e015dc0627f6ad67a44e6f7de249032a7cd17f9520d8d488ec73d18fdbb487e94a4629ee5a22af91083cec552016a1bf58749e305a0270d717d69db30214d

                                      • C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

                                        Filesize

                                        240B

                                        MD5

                                        4038575ebd201910086fd500e4bd2ffb

                                        SHA1

                                        289b4e926466ae3b1b748781174d984c95dd1d4a

                                        SHA256

                                        8b02686eed9984c55198ce5b2dca5dbb397cd7bcd742d7b1c8cbcf74c3931f4b

                                        SHA512

                                        634553fbb20d962a513c96e134c7bcb49bfab3c6cf329c0f457fc4f7eb12331b4b41156142f7c06ee8bc3051187c2faa6bcebf991b061dcbd13420c61b962242

                                      • C:\Users\Admin\AppData\Local\Temp\TarF59A.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

                                        Filesize

                                        240B

                                        MD5

                                        b0d94372173dcb686a59265577a6859e

                                        SHA1

                                        8316674c30fccdb344809cc6e437e2a25a31dff1

                                        SHA256

                                        d7a448b9bde1d0c15b87918ef3cb0fa21ba8fa764f3a97939985487d474c5890

                                        SHA512

                                        31a37128019957424eb8c4e385e3fa692489bccf7f12baa13f1c6bde8915c07d61fc6809d9dcab2dc2aec1ae662af5f651133ee3f7162e97156df9b880f35935

                                      • C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

                                        Filesize

                                        240B

                                        MD5

                                        3e391eaccfa2ebdbf09ef98945501027

                                        SHA1

                                        f075979e7f20a9fab81ad8df7d057440b4680100

                                        SHA256

                                        00f2c8f465e3e19f4930886cab41051316218834e369106a8706783f7f782b58

                                        SHA512

                                        d2697c63557fe4484c622c113baaed911e68301dc73bee31bc3584200e8be6c3a8adaec69392eec4db2fe85b4fe00839426912e78a614d9abba1eeafc7fd5001

                                      • C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

                                        Filesize

                                        240B

                                        MD5

                                        110937eb60aea651b23b04705362c20d

                                        SHA1

                                        3137317d6ede096a70d7e701a031b655defc00da

                                        SHA256

                                        f6fa6532d064b4029d3e596b03f4f5363d379e6e3551f53f4a05bdedab0a735d

                                        SHA512

                                        2871490da474cf5d23f95c42e76ac184f5c29a07199b1152fe12882d8ae377b6317d9423b504f5884eb61427c26dcb6025bedb54edec06eb3b34bb6ef5dc856a

                                      • C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

                                        Filesize

                                        240B

                                        MD5

                                        8b20866d873604120eecb0c66adb7f74

                                        SHA1

                                        e1c7060128464c8f0148ccab115e9ee2df320e8a

                                        SHA256

                                        9fd074427f824a4f6ec078569b2dfa2598cfbc4445d27a662991f6e7b108a25c

                                        SHA512

                                        b811a439b208a47318e3046b27ca6fd54c49b72354c7df7f44dd9058279f717be7dfef84bbb5ae875d627a04c141b05088766ee44d6c7c592a15cfd62671be18

                                      • C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

                                        Filesize

                                        240B

                                        MD5

                                        9fe824d38a1dca43ab1f3888ab5faae2

                                        SHA1

                                        0f7777aa6f8e4910835617e771b5ef7e2349efd2

                                        SHA256

                                        8436314a5d1fecc4c251d13af3510043d49dd9b10feb1c25daf1da6f75065b4c

                                        SHA512

                                        8cf6d69663b7298f5e0e60c07b6a520c243991bee11cd2eb72c7c82d6cbedca838ec3ba2709080ee70709bfde6fe8d7bfe148aaa38116ff7a14b50a82a510e53

                                      • C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

                                        Filesize

                                        240B

                                        MD5

                                        4fcd8e48f271403cce34b79baa3b080c

                                        SHA1

                                        64d43dcb3feb5aa99fbdc51610f354359af83835

                                        SHA256

                                        ca705df4e92901a8ed9887ae52f49582ad9bf02e60983a9392bd85e01bf7f0ed

                                        SHA512

                                        31f139b4f1ec877886999ec754e21b06096315daadfcf4a19df7c5a04a7bb410f608f06073b5f0fac287836653892fcb6e973695fb6704f2d00b3c52b354b2b4

                                      • C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

                                        Filesize

                                        240B

                                        MD5

                                        5f41fe82e6346d246637de3b7458f51d

                                        SHA1

                                        32d816e5584c2ec28b81ede104045b52a1f84b73

                                        SHA256

                                        bd7db7f26c6df3f039d9f3269adf7eebd4505bbf40ac1a86109a4f5da14331db

                                        SHA512

                                        36f5c525000144be064b94affa5e96e7b168d4559a0a462d58af05581c5622bd934d56dda95029128b6bea161337ed4d4763e0f6c052848b80aa6d12cd59b3b5

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        fc62fbdac8344f83901d7116b1cd1607

                                        SHA1

                                        b330d119bfc49ef734a7e32472b887ab6e40db68

                                        SHA256

                                        769cfe2620b5ce428caa20941e2656ac05a6e0580dc8cc3a86aeb870bb7d0082

                                        SHA512

                                        d2dc9098f88169e8600703a2519a3f04cfafa93e74aa6ce2ecfd2f5e13c670799aa4a57c89481f4bcac6fe0b8722e66745102b8f937420111faa7dcaa4049a30

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/624-153-0x0000000000250000-0x0000000000262000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/624-152-0x0000000000330000-0x0000000000440000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1584-634-0x00000000000A0000-0x00000000001B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1972-393-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2024-514-0x0000000000270000-0x0000000000380000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2204-453-0x0000000001010000-0x0000000001120000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2204-454-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2212-333-0x0000000000C50000-0x0000000000D60000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2492-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2492-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2492-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2492-13-0x0000000000E30000-0x0000000000F40000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2492-16-0x0000000000450000-0x000000000045C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2620-213-0x00000000000F0000-0x0000000000200000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2800-53-0x0000000000F50000-0x0000000001060000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2892-50-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2892-51-0x0000000002860000-0x0000000002868000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2988-574-0x00000000012A0000-0x00000000013B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2996-273-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/3020-694-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

                                        Filesize

                                        1.1MB