Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:14

General

  • Target

    JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe

  • Size

    1.3MB

  • MD5

    7c2dc10b63a2ae06c8752d0ae3cbc3fa

  • SHA1

    97cbad5e3a8a94ac6122322fbba0542b0f2a0303

  • SHA256

    0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc

  • SHA512

    0be6fa590f0ce0b38a7ac8c5f9f70b831aea8558ede26174b93e085f077f0f8f6f562c58851f6d2cfdcaa220f5cb8c4f7facd06213c9462b737d70edff095869

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d3b5bc468d9cb483bcacea7c7da457b0647e193c1c517c83fcea6aaa00453bc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1112
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cAu3s559Vz.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1908
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:576
              • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:276
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2288
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:112
                    • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2568
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3044
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1940
                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2328
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
                              11⤵
                                PID:2892
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:2256
                                  • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1956
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
                                      13⤵
                                        PID:2352
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:1752
                                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2408
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
                                              15⤵
                                                PID:1952
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2488
                                                  • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1288
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
                                                      17⤵
                                                        PID:2972
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2376
                                                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2052
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
                                                              19⤵
                                                                PID:1624
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2960
                                                                  • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                                    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2176
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
                                                                      21⤵
                                                                        PID:2432
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2128
                                                                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                                            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:972
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                                                              23⤵
                                                                                PID:2344
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:2852
                                                                                  • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                                                    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1740
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
                                                                                      25⤵
                                                                                        PID:2644
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:872
                                                                                          • C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe
                                                                                            "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1980
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2124
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2928
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1748
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1552
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2388
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2232

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d4611de57b1675e02c52af608890d200

                                          SHA1

                                          a529ab665bddcc07a8198a04e94d904e2db1ec87

                                          SHA256

                                          5dc66679bd76b9178050f8d78b2f08e0e00651de73dbe56696689dc34d29165d

                                          SHA512

                                          e2aab2f9ef4f674fbd847d63ea00aa026e50b71f61000826b9da626551a41882256093db474944a53671c43bf60411a783a7d237a407a6fad3337fcb2118e802

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d5000e944163ad2268452eec6a5d58d8

                                          SHA1

                                          f699ab0f426bd8eba31b92fb7ab6229533d31b65

                                          SHA256

                                          4c93a24868ba26aa59f37482bcbeb8e30f07fe16e6195552c785d588f4b838b1

                                          SHA512

                                          dd51333fac2d1b580b33c0494364519a78ab22bb6a13019314f1422aca2e5f2fb0bae3203d6724a1e2df40c47b12a484d8ee25c4cf19038fca3a79f15ed7ecb4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          086a93abc4d25b9144b839f8374572c9

                                          SHA1

                                          c22a4158d0c79a952ba6bbf14fd6f60eaf52d6fa

                                          SHA256

                                          acd70d04ad7f81c49b623dda2e82b30acf9f9b436a743b00918174c15f19b4ee

                                          SHA512

                                          26e9a6f97e3fdbb9709585f8dcf27b0962c8a7a699bf5c0b3f7a9c6ea9894eb491bbbafaa0ece59bc44952493f5a9017e0586fede756cbef445076e312ab41eb

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          426e7dec96c5319d271a8692b452539b

                                          SHA1

                                          fa2669302a1b65aef51721b79ce2f26d8ef3073b

                                          SHA256

                                          2b3ca38f4943548fd05a499eec310922eb661bfc4787c90871522ed40eb0bb0c

                                          SHA512

                                          65974e36adaafd3a226932f3e7cd31e16685303b6769d67fab5466fc9aa5a81a542d73176d34b3386652ba81ea5160cfee9424809d5a79e1500585ca106af129

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5987637d0a8ff0fd1013f5dbf00544d1

                                          SHA1

                                          e42a4450292fd3bee017ea02811c9da9185a0450

                                          SHA256

                                          06c6eebbc4517dd2eb4bd4f5e6568857d3272175f1a8ff44337d47e55263cb00

                                          SHA512

                                          31720f2e9fc3dbbb7bf89fb268eb040db8fcdbd427fc927fd6844eff20e36fcc56ca4b97d3a164366a624f67c297395b0e21c0eb91a0d17d3c0c70f782029d73

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4d34790b3eaf076a14fab8dd2485e5cf

                                          SHA1

                                          81f7c46adacfd20a36a17da904f6f412ee989a48

                                          SHA256

                                          758e5f5066700183adf1e58ab7d529de88247119f2868a351ea1eb638142aae9

                                          SHA512

                                          0f136d54b3d8d8e1d330ea535a68fb3e6fcc5a9b53e7e0bcf682e24bf934f879e671e29e391fa2d2946e5f0dda560dc7c540e7ef05a9668555aa00d59b5c0805

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          cf147e60a898df0972815ca2cd1983d2

                                          SHA1

                                          6d950037f273affcaf79baeda5c478f10e14ddc8

                                          SHA256

                                          941ac4d7ea7c71abd4405fcbd45101da062bceca72bbe0b1a90e7314a6fa30ae

                                          SHA512

                                          72b64e87c7ddb20587e31a36b5c1758f4ba2f8a82d03c1b25874b7c2966ee068894cf3afb671529090b321171103dbd1ba4d87f642c0d457ab2d5868e3c7283e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d01c44ec93d217ec1106229fdf74ed0f

                                          SHA1

                                          5fa498ea9fd686ef832d5c3697766a7e4da64330

                                          SHA256

                                          5fd2942094c0ba7c89b297072e60ba6458baa31cc60e3c709a06e8522bd55bf8

                                          SHA512

                                          19cdccecf39ddef3719d69935a159941db577bdec0d480ade2daef9c51d40f58d5b8ffcff6669a54bcdbc43b8e4dc948949c2d8af67b9a9b6173cdf2ffa662b0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          eafb0de373e211f2c74ad9bf6ae3a992

                                          SHA1

                                          5803b69ce76f94c5865a205d1baad94491c7916b

                                          SHA256

                                          5a40baf3c58329d5121559c428c7ff6d8cbea5588a509446bb3f2adee7c5d3ce

                                          SHA512

                                          e84948897ecfca512c6ddf98785575d8ae39f867edceed220e17d01acb636b43325a2924fb1b76c77856d4c4448bfddb5fcb139354d99398a541e75281a5dbf4

                                        • C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

                                          Filesize

                                          225B

                                          MD5

                                          9a2033450a7b245070b373c5dd09749f

                                          SHA1

                                          741111e193c935dad10c15a25db61fdf923fd2a5

                                          SHA256

                                          b6042137019920ea165ddc3f383daad1e6744c1a181733e3955a5fe03bfb8512

                                          SHA512

                                          713ea4ac96da4a3ca8134f7e5af40eb7197a721e58c6fba61773fbb3fe82a7f8856f7f25e09f40ca212ef6cd8b8042565b3db6e687916485ae4509814ccfcbcf

                                        • C:\Users\Admin\AppData\Local\Temp\Cab8A86.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

                                          Filesize

                                          225B

                                          MD5

                                          9bc77228453874db6161c78b0333c1d2

                                          SHA1

                                          4e9810f7cefcfcb1ca2dc50f16585a7b6655a7a9

                                          SHA256

                                          54f8bd66cbc87c82d91756210c7d60f5d014692a5f0c8d0a4a4b3500a925716e

                                          SHA512

                                          c6b5b8042de511eaee8e2dce07e0cbdaa5a2448f155139c45e772834a4d24a46c9b7523c3d2e25a8f5bfa94ab2292bd5e0616e64bb0b8954abdd75e5dd49058e

                                        • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                          Filesize

                                          225B

                                          MD5

                                          b4f3923062ea2683c118d957e8abe185

                                          SHA1

                                          98dfb01bab36298584c4df25bc8ecf0e1b9ae437

                                          SHA256

                                          eb908040fa3e08d8e091e228301846af8197cf6712ed30783e3e4a7bf989d2be

                                          SHA512

                                          37039ca329c3c467193e6e92596592bf324b84e2b18b78bd5b2fd7ec8a7d4bfc040b948907bb9fe8dab8c362ead92c5718cff7dd37ea509a65371ed72deee70b

                                        • C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

                                          Filesize

                                          225B

                                          MD5

                                          e4b46fe2ea99e3fa92e91a1e4c554aa3

                                          SHA1

                                          9383e7fdf4d22dd0e65ddd51c975254eaad1a81d

                                          SHA256

                                          086f6ac29abf4176ea0ffa3217a1376a0195491cfc2d0f874b07fcfaf0546cfa

                                          SHA512

                                          e9de8c26e9b32dccefe098dae8416baa6c4dcb38408a63d4dd8d6dbeccca167b1c6cc305d08c603711462c9d13ce568afeb3455b97e4d2219bbcaeeff7b3e342

                                        • C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

                                          Filesize

                                          225B

                                          MD5

                                          a0753bcaec52487956a34163fdeb2750

                                          SHA1

                                          64324a1173e697428393a359eae407e9ae54d77a

                                          SHA256

                                          2cd1461ccf00eda3e1dfae1a6667761861aece3ceae2c75b74fa42f7179a4809

                                          SHA512

                                          276e302358c94cd505f3782db08e5e132ee2b130eae453ba9ca23254e98e80d12cf821767d480a6315aaf916b9d52affb9475b684c6e28eceaad54d9482dc183

                                        • C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

                                          Filesize

                                          225B

                                          MD5

                                          5a9551af02a7ed956ab19580b32cbc19

                                          SHA1

                                          751af9b7d914c6cda31214d5d7e8b75b707bd972

                                          SHA256

                                          930a3a804e646f5907fa4b3ee3728eb22426d90d323f52a77919531a48062d76

                                          SHA512

                                          7eaa9c3a7e6c87e98d3781a66095c62b9b509ef57c9eea5d0344d3819d8c98859a418a5a1fe6e880cd74544971ec33fe6c143106eca167affb79c18bebb771e0

                                        • C:\Users\Admin\AppData\Local\Temp\Tar8A98.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

                                          Filesize

                                          225B

                                          MD5

                                          3ee63f365a45fe5c02cd15ce32e9506a

                                          SHA1

                                          26945627fbca8ceaec682f4812327df2f91933d2

                                          SHA256

                                          c3373c6b6514a008bdb324e2bc3ed657c1d99f50d9fbdeab2f5c4aec032b8341

                                          SHA512

                                          e5435de801a8311891ddf95f1acc5701585f6d7f235a6acffe91980410d0c77e4f817401f84cd1f48c3ad2d7c84e6e7c9f0a8264fb4f0851bf1a35ddfd28e705

                                        • C:\Users\Admin\AppData\Local\Temp\cAu3s559Vz.bat

                                          Filesize

                                          225B

                                          MD5

                                          483010b1aeb82f2f5b7ca7b03a81f12e

                                          SHA1

                                          f5943b10c9fb65d7144c812c98fc85dc59dc7f33

                                          SHA256

                                          9a84216bcb11fc1c96a91d656f948820c7d99c6c74c2e47df523a78febd2d26d

                                          SHA512

                                          6de23493a7398a77ebf1819b3ed3fe0219a62fd5e014a216eb094ed4cabadf5b18b30c15d89cda6bbfe993e169473060775a834782b9d50450d9e7050d7109e4

                                        • C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

                                          Filesize

                                          225B

                                          MD5

                                          c2554e94d7d178aeb60f89dbe020f943

                                          SHA1

                                          7d919cb09e5c3ace2c20f0ce59113705e7b8983a

                                          SHA256

                                          082b79bc095830e4d246dde054f146c0dd68f4e90ce40f02950585eb8e2b7a36

                                          SHA512

                                          2e2f4180ffe5e792d6b8a4b10e36a7c7d7a3d31ca47dad742f96ee55b55868854bf6284157535a0a5f8f26b8d6126a2fc1a3cb0eba415f1ce8e7165fb34d4019

                                        • C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

                                          Filesize

                                          225B

                                          MD5

                                          189b6d5e4a53032470094589475001d4

                                          SHA1

                                          d4c3efd1f7aa0d83c04f05c0236e5c1a7756fbaf

                                          SHA256

                                          e3197ddee5a48ad50d15eaaaeab6ccc459722fbcf770aa7e2e0984400e00272e

                                          SHA512

                                          ab2052adaa011ca98470283ac374b4eb5d210b9e0a1b6ad79c9c92b65cfc21eab8f5573163c6bf8543e776a5b0fd216ce4ea74f3f0432a85d9644f9600c98b28

                                        • C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

                                          Filesize

                                          225B

                                          MD5

                                          26285bb3ecbce1ecc809a4c71b2a20bc

                                          SHA1

                                          408a8fba76f4cd5e2507116c2a561de02624a915

                                          SHA256

                                          e7cce6f97d34e0e71d0ab8ac32f7792f7c3a3f0cb5200401205cc97c009f193d

                                          SHA512

                                          a88234b6e6c4d5dbd9c1e2ed086b3789e567743e767c9889a51a7bbc6c05bf094f62d2d540ef8e94f1971f8dfe1673ba5b98b1747b05464c59affa2421f77cac

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          502b063bc592835956c77e679f199070

                                          SHA1

                                          2299d03c4c69a4c5c5f2a0a31294d56f98df1030

                                          SHA256

                                          48b6c1d16a7fed9d715c9ace64bda740bed5502308a6fa4e0d84ccff224fd49a

                                          SHA512

                                          0d7a6d0a7a89a4b124378e80b0054098f7bf9d948c8e6c9dfd966e5fefa56f4ebf9fa6e8808aa143cfac54bf84c319ac9c70232dadfd3f60873f168600222711

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/276-91-0x0000000000A30000-0x0000000000B40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1132-45-0x0000000002790000-0x0000000002798000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1132-44-0x000000001B680000-0x000000001B962000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1956-272-0x0000000000340000-0x0000000000352000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1956-271-0x0000000001290000-0x00000000013A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2108-686-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2256-17-0x0000000000510000-0x000000000051C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2256-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2256-13-0x0000000000300000-0x0000000000410000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2328-210-0x0000000000280000-0x0000000000390000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2328-211-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2568-150-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB