Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:05

General

  • Target

    JaffaCakes118_a0a8d035d8832a46a8328f7cbd5d72d9fe6fe209265fdd35f7643a39ca9d5301.exe

  • Size

    1.3MB

  • MD5

    be90009e13cd62532f99a67e21b876b6

  • SHA1

    8a920cf41f82dbc9f01b1ae996538625c822bb5e

  • SHA256

    a0a8d035d8832a46a8328f7cbd5d72d9fe6fe209265fdd35f7643a39ca9d5301

  • SHA512

    c01900ec9849a500094bc80f03eaa16842208df444285d8d01562587fb3e32912cc3f8c09c21e2e808a8de651c1cddf9ba59fa362da8ec90060082599030e392

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0a8d035d8832a46a8328f7cbd5d72d9fe6fe209265fdd35f7643a39ca9d5301.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0a8d035d8832a46a8328f7cbd5d72d9fe6fe209265fdd35f7643a39ca9d5301.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
            "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1792
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2112
                • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2216
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1740
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2424
                      • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2404
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2024
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2620
                            • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                              "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2196
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
                                12⤵
                                  PID:3040
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2484
                                    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1388
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
                                        14⤵
                                          PID:2772
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:688
                                            • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                              "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2200
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
                                                16⤵
                                                  PID:1884
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2248
                                                    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                                      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2536
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
                                                        18⤵
                                                          PID:1044
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:844
                                                            • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                                              "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2616
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
                                                                20⤵
                                                                  PID:1908
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:2284
                                                                    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                                                      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1568
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
                                                                        22⤵
                                                                          PID:1676
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:440
                                                                            • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                                                              "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:856
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
                                                                                24⤵
                                                                                  PID:2840
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:1304
                                                                                    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe
                                                                                      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2668
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
                                                                                        26⤵
                                                                                          PID:2904
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:1076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2660
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1324
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1140
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1260
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1452
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2720
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:300
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2496
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2548

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d6d8667c9884e31733b3178a38fec00f

                                          SHA1

                                          8c5798ea1e3f7caa402474b655aa6c1fbc1dbcb7

                                          SHA256

                                          8d96e3aff5cb0882f46eecc6c087d7c485b057520016debe79570892a7429615

                                          SHA512

                                          5617dd0550566a23191fdb4f769597de35c8e0ecc5608104fa6394d5a4afc5008cbd32365f5177346c7ba4da6af00722420fb9b3c533c234ebd7413aeabefafd

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          af84b0f27970f6a2f7ed08f905696353

                                          SHA1

                                          4c7dea5ea58ea3195f2fcd52002689cbc957bf5d

                                          SHA256

                                          d04e74d9703f3f273bacca7dd0156da5fdd0a608685a10f5d522a42e171b5c88

                                          SHA512

                                          4b75905c3d87f933d4064d20782b8e496efbc5127158724ff67bef46b7cade94b8ffcc4832a2931338a36856d116f07d501d13549e6b6f4e7d2bd6b6b3d9b221

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          46704c55bdf4f288413c278a45bacd9e

                                          SHA1

                                          45f57d0fc59524bf03459bc84e6eca02e7f21c8d

                                          SHA256

                                          3713175cd86837c493a4d2b263a4b134e0069dfb7d6d11915f479bf163dafe3e

                                          SHA512

                                          64f5f244b77cffb573de222d932d312b93367932a4ead1bc7a7f55dbca30f38d9163df7b982e90d84cf964dbe11eaac707559205e79e9ba3544b6c293dbd2b33

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          554c74820476c7d5a029b7d3f6c75857

                                          SHA1

                                          4b295deb6c9627b3f805f092e5cb0d9e16de8684

                                          SHA256

                                          18686ed04bc07ed95a6cb97f92a362032dea58977102f48e9be6678f91fdb9a6

                                          SHA512

                                          9ca32fdfcb6cd0472cb7a565463d32e426643c4f1dd5ff04be6befc1036cc13a6c61b3c4b547c004b81a67550e35c4c38f49541681dd9a23228d70f1bdd95d95

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c2b121d23b71aa0b7921cdc1c8025da3

                                          SHA1

                                          4d4b5583e5efd84ab0c4e236483a4ceb52b7de9e

                                          SHA256

                                          718123cc275bca6105aa90064b9f6be0e14321b83b1868a9cc8fa86db920dbf4

                                          SHA512

                                          4683e33f1d0b189af47a1fa0ea0ad3b5d84449e1d8468b39cbdcd727967844e8e0d98893e57f85b34922e2f0723f37fbd2ca6f33744303f0d107d866bced0abf

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4bb65b92b9d916a8737d62ac5a0b75b1

                                          SHA1

                                          2ca5afcd920205fb6502bf0fa0bef23a8294a5e5

                                          SHA256

                                          15e7b62d4c5419244a27fd4fd3c3fe933d32011226e023e1b6c806afbab75f7e

                                          SHA512

                                          eb4480b749725fb496891ecbd7885d104a3f5c9d08d2c25f78a6c9151bdedac1c57ac3ac0634e17e30aba728c92b46a0505846679ec7a23ac91609c1b61b49d9

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e24ff4dc7172175c8a2b4e1b2245c65c

                                          SHA1

                                          0ad68fe093b7f348c8a4f0643e357e5314ef5cf4

                                          SHA256

                                          13b5c35569f63f75cd9e29f5b322e90b7285dae65b0b3ea746e362539c1a0e25

                                          SHA512

                                          04027be45834c44a37489fa740cd943e3d7bf53a941930b773752ffb6a500bee84f334976a8962efacb3bcfaebc917f5a72e18c91918d3ea2f9ce082360289dd

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0e63f8bea1aa22e906a6d3a29b52bdb5

                                          SHA1

                                          d7051e77e49186d62a7d4e8fd7c2085c8219d942

                                          SHA256

                                          7aeab06432b08114dcccf520e8fdae5776fd1bd8c2ee37bce0563fa059d46be7

                                          SHA512

                                          bb13acf87b3c58572c4cc9820503b9760faa04a71155ebb0ab1178499699c69658b3f9d1759df4f0ebc0402ef5f5d56dac5ce84a8f44eedea3d4fe1c15adda90

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          82a5b5c214ae8f74fc1bd5f89768494d

                                          SHA1

                                          5eff1a6b9a18964524121f7f268381034d5378f3

                                          SHA256

                                          f6466591e3084aac20fcffac653ef74a3b1fb7e965c628e31e029533c0f06699

                                          SHA512

                                          533c1995a9e8c22543b66f6c8966bae9939628478e266b6d0fcea88eef69a0b563a1b415d83804d9dc8c2e971a9983670452f9fd7171f44c1eaa976bb689c0d5

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a979627d1a6e009ad23e50e0a70acfa0

                                          SHA1

                                          d2bcbe5fdd10e58baeaa4493dc51a28b40c93c14

                                          SHA256

                                          d8ab32223a6b757d8f8664aae116e468154919edf6bc2f522fe3251660198415

                                          SHA512

                                          5949da071117729bde47cb5ed9c20d4e95938a0c3c1bc9826e862ba5dadfe6f6f43a06ee0022b7c56c83c6796cf754dcc5d4a08a4fefcf9ca9e3585e03026ca6

                                        • C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

                                          Filesize

                                          240B

                                          MD5

                                          d38789f981ebc8f0c86e2ad0574b2bba

                                          SHA1

                                          660f4abb05e32ee93f5267469ca0ce15813f1216

                                          SHA256

                                          7da0072b7b27c1b626d1ee41537d862011671eaa76e2b5f509be7dc9ee866d0c

                                          SHA512

                                          73a779ee5f7608a2415423e6996d288d8e53d5fab8424aded06017079ac2a7ab658f0267c5ae2f01639d3672d320f8d9c9a7385727e34b4391f8646945a4e0f1

                                        • C:\Users\Admin\AppData\Local\Temp\CabECF0.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

                                          Filesize

                                          240B

                                          MD5

                                          da9a78fc3e0624789417d869d9e820d7

                                          SHA1

                                          febefcdb69002fc7a0f1c630241e2fa0edd3ae26

                                          SHA256

                                          b215b2e4b905c0ea6a1f6c841e97fca698407ace4592318500e5a3341b8f6d79

                                          SHA512

                                          b095a1b9ea13a0fa650f6c5b80cf604baa1ba774c5c784c8bac43ecd66d8b84a8ae877f4791fcca62efb39d2b358a8f5c59603829a137e4cf9977ae23a52cd76

                                        • C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

                                          Filesize

                                          240B

                                          MD5

                                          7a7ee88f5249c28d9640c15092ce7117

                                          SHA1

                                          9390e5d5a6b4efb9cb46f1517b17fb5109789b16

                                          SHA256

                                          9a387c39ec43d20cd539ebd412c81b9ed85de6c0e8355567934c1988fdc73f19

                                          SHA512

                                          108adf315945881f265ec4bab4408962862b5768a1146b12a79fab630e47f9832b7416278dc00e0c71e8f79949f591b150b65c8493f9fa68bb64b01901fe3724

                                        • C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

                                          Filesize

                                          240B

                                          MD5

                                          840edb61989dd968d05d87bcac60e7a6

                                          SHA1

                                          56f7e6b08546653b155cbbb4753444b7f1b02d84

                                          SHA256

                                          fa804845d3e160a1fca332bdec02a0978647e56f52c4c6f2fd4116efbcf81c1c

                                          SHA512

                                          2905a915a797e2a4cbc5a1cfa0c5347235b0e55be77a6a47ddc5bf2317af6a631ebb595d98673ad347b3ed2f8858b09311e4e45780cd14678d088d4e6460a775

                                        • C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

                                          Filesize

                                          240B

                                          MD5

                                          83f71bbbcfb3e0ba29e8da5aa7105879

                                          SHA1

                                          324028c844d13634260ac25bc3109aea0c7d89ed

                                          SHA256

                                          afce5a8cc4960e4f7719b4149f4a4b8cfc4ab513be7c6fdc252757dd1bd3a99a

                                          SHA512

                                          684bb17469a9381eec80c58bff9619934ca90aa6d79af9351a1d2d300fe771208c871ef55be7bcdf88a181fdf8079bb12d23fa04d519b3f7367a85b2f8882f5a

                                        • C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

                                          Filesize

                                          240B

                                          MD5

                                          7128bbd304cee7af3b0ff5921f10c5a9

                                          SHA1

                                          16ef08f8b26d62ccb94fb9d2d18fd6a1ee096667

                                          SHA256

                                          abe7cda4d0c6bb85882fe65dbf063cca4698571f9fcf61d01f11d21ed8c05aee

                                          SHA512

                                          33fb54d28a8428b8cc5fef6755e201ecfa4ee6db6c51b52032cd69789817bc133a3a11b7c76298f331c75449e6a34e35c79a57b7c21bdda3531dbef6e144580c

                                        • C:\Users\Admin\AppData\Local\Temp\TarED03.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

                                          Filesize

                                          240B

                                          MD5

                                          e3cc7b0aba27b1ea1ac27d3180468788

                                          SHA1

                                          4d8543755cfed8aa0570550b2bbc617b335b6f54

                                          SHA256

                                          7a31cddd473d78443466a71745813e92ac9aef30e496bfe3761e7bb1ec027aef

                                          SHA512

                                          d965a834d75f7af69d57d1656797f4077016471d36142f8a90e2dca2276b3db31ef772c0b025a135dcd208a5911a5a1f19e73524a1ace34df547cbdd57ac30e3

                                        • C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

                                          Filesize

                                          240B

                                          MD5

                                          88eb93f4b6127b2e87d635ec29890f7a

                                          SHA1

                                          ef22f42e8bf7b10b82d7b10d5b9993bb19d12591

                                          SHA256

                                          08b57f138f30acdd3a725783b9b3b12dae519738e0e4591401c910f4dcd3fe3d

                                          SHA512

                                          85cf1dbdcebd626858fe0b7607fcd38666f03c98589bf5c8ae8f1ff9af45c5c400cdbc8b967ed46e52e491094c725fd8fa04d582faa2489748290a8072401c7f

                                        • C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

                                          Filesize

                                          240B

                                          MD5

                                          3db22b8581d9839b2fdff55fccbdd87e

                                          SHA1

                                          eddef16a2ea8cd69e58476972f6786b7efafd04e

                                          SHA256

                                          1e0c05b8dabe2844b5355948fd0093a323583861400132bdea7318d85cda1777

                                          SHA512

                                          b5a542610b93c8602c2577e3a039d019bdffcb55f99458b368ff763468082772ed0cbf34d4a4febf2d380b05ba779285e980eedb06ff02f74015d9005fa4996f

                                        • C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

                                          Filesize

                                          240B

                                          MD5

                                          fc5d43795b2e666b11d2fe5e70e47fcb

                                          SHA1

                                          ac353c6f4c5aa85d8df35810f39009ccea880660

                                          SHA256

                                          27d2d4ba486e87acff1cff7ada583dd94561e611bd44d5d68b97a83a724004d4

                                          SHA512

                                          1cfff4e488845acf7f7c9641449c1966399adbbc610db14ec6edee7023a34c989a05ab618c1f76e6de701220aaa9c0c4fc6b3630cf4fb30a546c60cf05136717

                                        • C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

                                          Filesize

                                          240B

                                          MD5

                                          fe52a1c7df202dbe144eb3655f59f228

                                          SHA1

                                          b1580eb54b5a888f93db29c14fab2024963dff09

                                          SHA256

                                          32c727d6c9925837b429dcb748315dbed2a9f517fcbd57629b43ae9b07189306

                                          SHA512

                                          ec5a63177547900fed1ba7c6cec9191a5f10ae884c8efb715a2474f445ecfe8f310f5df746e625bf5c24a49c9ce05cb382283badaa65d0fbd065321e00badf47

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          9d965da6b9b09c6d58ed71e8ddc3d11a

                                          SHA1

                                          c37214dc48d272e8ba8272167b0ae3342e69411c

                                          SHA256

                                          4b80f1ba54a44c3e50552e85d70ea12c189e0d47039205541c4036847f78459c

                                          SHA512

                                          0f6568fa6b4f38be0b68156edb64f87a171d065c8c922591d6e08dd09cab0b56114072a2de788fc36ea59e20baf9e081e02edd04de58e199b94846a7c243fcdd

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/856-624-0x0000000001360000-0x0000000001470000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1568-564-0x0000000000350000-0x0000000000362000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1568-563-0x0000000000190000-0x00000000002A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2140-46-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2196-265-0x0000000000140000-0x0000000000250000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2200-384-0x0000000000EF0000-0x0000000001000000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2216-145-0x0000000000300000-0x0000000000410000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2244-17-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2244-16-0x00000000003C0000-0x00000000003CC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2244-15-0x0000000000260000-0x000000000026C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2244-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2244-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2404-205-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2420-42-0x000000001B710000-0x000000001B9F2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2420-45-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2616-503-0x0000000000050000-0x0000000000160000-memory.dmp

                                          Filesize

                                          1.1MB