Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:36

General

  • Target

    JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe

  • Size

    1.3MB

  • MD5

    9c7cd2988c0ad5d8c15ecae6edfc6bd7

  • SHA1

    74eda384809243c73178bb1d7c507e8e82f3ac59

  • SHA256

    d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e

  • SHA512

    4e47f8405f7a459e4d6609890bbdb1957f16c35553dcc87bc97dc4c8d238dce0aa30f9da23ec4a7bcc9fb77b564c791927c05a453ff63e2722dd242612aadb96

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9c2d4c08278975d20d22388d3fa0d1b3661125d015b5e692cf59c3397005a9e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SJE3qadHNn.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3044
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2180
              • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1288
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:876
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1124
                    • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                      "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1704
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1140
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2964
                          • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                            "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1524
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
                              11⤵
                                PID:2100
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:2168
                                  • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2604
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
                                      13⤵
                                        PID:1744
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2712
                                          • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                            "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2976
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
                                              15⤵
                                                PID:1496
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2276
                                                  • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                                    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1776
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
                                                      17⤵
                                                        PID:2036
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:3048
                                                          • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                                            "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:580
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                                              19⤵
                                                                PID:2180
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2296
                                                                  • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                                                    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1712
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
                                                                      21⤵
                                                                        PID:2692
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2456
                                                                          • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                                                            "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2104
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
                                                                              23⤵
                                                                                PID:2752
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1028
                                                                                  • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
                                                                                    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1784
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2632
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2624
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2736
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2596
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2616
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2720
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2432
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2648
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2032
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:668
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1744
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2356
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2840
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2836
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\services.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2584
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1472
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2128
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:624
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1508
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\dllhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1120
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2344
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:808

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a69bc7821f8beac4f65586941fe315a0

                                      SHA1

                                      7262f7d076aff59c3783e9840f28c27100e35b10

                                      SHA256

                                      cf84a2cf9497b214a437829948ae237fb84092c0232b432ed637e4377d932a2a

                                      SHA512

                                      b8b9148749e93477d057c430356fce3100951f4757c38cfb06ca353702299e8a6bac8572bead5c42c37212777f9f33c33085114f0fe09e87e0806371e4f4a9ad

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      79a190ca3c763407d6f0daec29a7432f

                                      SHA1

                                      986cea41abaaa49cec270c4db7ff7c1513188de5

                                      SHA256

                                      e43ccee65250fe375f5d9a8c8c275e95c7e622f13739c430d14028fc2787fb47

                                      SHA512

                                      55ac301c38ecfdfe2332df2655c8bcb30c19ef26be3deee5739856ff4ceecd12d9f53ba9809ea49630a72bd098913d11a75b8ae7a1249a4a90b607867612d520

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a535990e43451791f3ab32d0297b3e7e

                                      SHA1

                                      8762a2dd10580a746fe7ce27a2d9d878bc6cdc26

                                      SHA256

                                      174c1408d912a25cfa76ad160abe1d1a4dcb2984b7e0cb0123a448e4db2c557a

                                      SHA512

                                      6333e4d0322210ceb43a14d9b7cb6fa6c2cd9fa0e992c799ad85bacf34169fa569da5010f6ca9048311e16e70aa283ceb5bc24bf8cd7881c349b4f78b1379059

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      8580a08785b115bc67adb657f3a6a938

                                      SHA1

                                      6255ce98795126d638b87138637d08e46a6e17bb

                                      SHA256

                                      d3142d91c282d2b5a505847d3c0c58ede0600ae4b60c67ab7c4342b91ac69190

                                      SHA512

                                      e04703e85fc170f7e7f12b5dfccd2993c2a9fde0cb478843b16c2c1331cfdf4c2e1e7207755ae3685a20c51d929b55404c9058bbfe4c75e9dd033e215874e810

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      283fa4098b5884ce1cd225a02a278aad

                                      SHA1

                                      91a748d946eab4abb80d0e52fdc2b3dbb6089182

                                      SHA256

                                      754fce2da014d7145554fbb7b8b761a627049d41777de19185ba038cec8015cf

                                      SHA512

                                      d777e91f1421216145b07418fd7e1134a28f2655eb57be8871212bb17209c6b9ef41affe8f734e8b79ba474d2cdb763870250c81280bcbcc841b4948cb7e2e5e

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      22470fa65eacccb5ba8f5e28dac0b02f

                                      SHA1

                                      f0cd0a040a97b518c913f907bdb04add6523173a

                                      SHA256

                                      5c553cff916850df1e4bbe36453dd45fecd8e93e13ed85e186070c2f73a69bc2

                                      SHA512

                                      4b6dc19566f3e4277fc671ea06d4f5136304f0d968a0741cd4a3e489a1df156afb4f11f6cbc50384fdac40500efb6988c3a7ce9e501f2deb08c55b7679756aae

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      0cc50f1baa84ff39a0d0acfefa4ba183

                                      SHA1

                                      a98303774f09e7f3983d37b0f84d2e6538e3318c

                                      SHA256

                                      1e73e7ec152591d003a04906e1505242667b328f753667266c5853ccd8f5ff54

                                      SHA512

                                      da50d4d227ca2d376b39f84ced6b74014025ec0822fc0b6b1407c93a407d97b341e51b8f3079d0f3bb33832350147877f0637bd1f54e69cfdfb6d69443598a1f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      9e4ae6c637b814c2c4432e405a67c376

                                      SHA1

                                      3fb84870776234e3cc1761176076201ebb017450

                                      SHA256

                                      2bc3bc5be6a3ad4c28ea00debf20202e5639dd06704125b9c64bdb92628a7dfe

                                      SHA512

                                      248fe3d2bd8990c98d1b9a89ba2706f2b4b2d23c5c37e836fccfb6e584d1721acca31f667c42b6c19ce30997eb57c4b454edf6fcf003370495c3f4d316c822d5

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      728777da4a5b8072e14fb87ed07fdc3a

                                      SHA1

                                      3a331a097ef40cad5b036ded1c68fe9d82f43f78

                                      SHA256

                                      219ad0c3a745e6cb020751453cd434c2ecad7f1ec282b9434b77ff42c78a3e81

                                      SHA512

                                      e55dfbceb41deb67adc4438772d4e9b562ee07b26b65fac8c8645752ab515d3f21b2680c69c2ca755fa0c3ffd7c457848754aab286ec49bf5129b5760175a58e

                                    • C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

                                      Filesize

                                      222B

                                      MD5

                                      9d0660d43e8ca5b8b3986200e50ed1c1

                                      SHA1

                                      13cc67333e96d0efd0a0d311426b9f479fe83ff7

                                      SHA256

                                      49254c4891530e52222b03e60052174f2c50adf894f6b45a38fdb1c60108229f

                                      SHA512

                                      c4d56e20689fde864f7936497932499230d665e80980f9dbda4d38f3d603a56beb0c399bbce567a5f83244fffe219647fc120816bf45bbcc92a3b11afccc50f1

                                    • C:\Users\Admin\AppData\Local\Temp\CabE478.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\SJE3qadHNn.bat

                                      Filesize

                                      222B

                                      MD5

                                      01d9e2460e31acd092f2cefa5cd1d84e

                                      SHA1

                                      9a19bf0c49e98d77f2eb49d560ff20d6233c0549

                                      SHA256

                                      f25dbc280d26fca2b2f7c5ec109396f0f35226f9be94eca70a380d6ad762ff9b

                                      SHA512

                                      aef940be260a5b150c104a3ae8fd90b57eef75749c0225517d5f1e3820f3280b79d1ccf1eff2e436e34c4fe56edbe147c4696513512f420714b7c4d70bb71b3f

                                    • C:\Users\Admin\AppData\Local\Temp\TarE49A.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

                                      Filesize

                                      222B

                                      MD5

                                      00f2f36608a61e9c969ff2abfba618c8

                                      SHA1

                                      0de84f0ad78057081730e96e839044fe980020c2

                                      SHA256

                                      180d6cbb6502ffcff8f9c2824928c0a9422d753eb376dc4bf009c81f1915bc69

                                      SHA512

                                      7068df8ae04140277f443803f15118d2830dbb1547ad3243e55b2ab26e72ab8074950dca458bf36db0aa7898d0a6babff83688158510009f2005f1796add143c

                                    • C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

                                      Filesize

                                      222B

                                      MD5

                                      b5aa3aa1db6c905e334fc0e90c2d2579

                                      SHA1

                                      56faff11b489bfe9e4bee98304ac77120b7367ca

                                      SHA256

                                      050be5dc21e27c05aaf80711b8214f4ab3a67615004100be7acea83fd7884d45

                                      SHA512

                                      6ca633f88363d0c26a91b88a76ef2eaad1768aa90b7f785aa937e69723c66e5df3a7e63fc9b6dacbbc229bc72ba2cefbfde6da2f73e3abfe1ddd92691b5391fc

                                    • C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

                                      Filesize

                                      222B

                                      MD5

                                      d71e2fac94ada769a42b960c7cf5d3b0

                                      SHA1

                                      148186aaf4a436e913e10370478fa99ae684ce46

                                      SHA256

                                      acc641ae9da50a62a8b5d494b1bd5c510a6d2e79104903ff56c2a562e66731cc

                                      SHA512

                                      4f1ca0dfdbf2ba6bcb2cedf629f7ed4c831443c381f1e8b9b795d23755fbced3e584a82a568313122d72df893a10e068051477499d4031732e5be52a0e63e2ad

                                    • C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

                                      Filesize

                                      222B

                                      MD5

                                      53cf4015a8eb1b2468b64c1402c76b39

                                      SHA1

                                      fb266fc05ba892b9a2d0cfd3c311d51ff6ecab86

                                      SHA256

                                      42b867c6c3b78feb17794461bc86460526297991009a21a9a7c130f84b9fc475

                                      SHA512

                                      fb9a1be5a9601f682df95c72373ae657f09a7edf804f22dc5ff2208350b4bd7d4850278c14e72e56f187668fb3a444f64ce468b8808944002adfb2277219a41e

                                    • C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

                                      Filesize

                                      222B

                                      MD5

                                      9742054397462c50bc13c7e8a2d116be

                                      SHA1

                                      f374452aff0d75fd1d0d3e253cf68701a9c9c8a7

                                      SHA256

                                      390ed8cfc63106413b4ef0654556c93b9df3db6f011cf6ca1b7c9f3cfe77051a

                                      SHA512

                                      c6fc15c1217ff9f687b8fcf42ebed6cf47967d5029766fdeaa392422bbc42afae224f1e9838c2a759095a895dc3340d084f3cef49bbb195b50f9b5d54dfe3828

                                    • C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

                                      Filesize

                                      222B

                                      MD5

                                      afe9706b8cdf5c7195295ef36ab15c89

                                      SHA1

                                      4ebb2117ca91312a35fa2f3158d20ed1d9cbd844

                                      SHA256

                                      27178e86f81472674cce43de9a6ebbc123359e5419504637a8b799e12ec0c1f7

                                      SHA512

                                      dabf48e368f0e5d8c428521cf83c3b063c62ece40c84d4ecf035a0357ce4b80700bfcb41a2bcaec79ae881a25f3ed54f4c0545ea4fb1116edb310c20eda03a2b

                                    • C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

                                      Filesize

                                      222B

                                      MD5

                                      9d4e6c5c382508958c9411c2a0c7884a

                                      SHA1

                                      11e98c34e44e113edcc5d57dc3fd7a076d0c3aae

                                      SHA256

                                      0dc2c620731f778da27c2423d881fd4d1909793f69d4e532c78ac2bcf3b533c1

                                      SHA512

                                      f4308a6392d0735c37fa31db89965234b6e03b43e1a1a8dd69b86b80fcf79a28ff6e194689ab735b371b664c8771e84c304f9bf250091c1db69c244cd8da97fd

                                    • C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

                                      Filesize

                                      222B

                                      MD5

                                      9c969f9d34b1f4d3952e8e5f4c48d8ac

                                      SHA1

                                      e05103a3e731ba051db7d4a8b1c8badc4adf333b

                                      SHA256

                                      2e10a1865465f537e5c44c3f75c3345325f7cff6330e553bb88bd3f60d0bf8a9

                                      SHA512

                                      13983d2f7690acf79fc02ba2610eeaa52734458de3f85f57c9236115983a7b77aceeb6da3b0bb90866ca2a931e490568798f0069660180c937a6518d9fe77181

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      b23849bcfa4b7084adaf19cfede7a777

                                      SHA1

                                      96ea6db778a47c8ba2058b6946c9f52f88e9c9a5

                                      SHA256

                                      01e7ab7deaaaa55711dc6c999fa0dd887ef9f785b6120d78b4d02807e01bf585

                                      SHA512

                                      865f30f38be8cc9c375fb2c04b1855757b21ea25b014a127a34297e6e3a5e85219674d453bd6b96a8e4a1d41d4eecdd8caee91155828d6c9dc187f13722b669b

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/580-445-0x0000000000F70000-0x0000000001080000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/632-58-0x0000000002050000-0x0000000002058000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1288-87-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1524-206-0x0000000000340000-0x0000000000352000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1524-205-0x0000000001120000-0x0000000001230000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1712-505-0x0000000001320000-0x0000000001430000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1776-385-0x00000000001A0000-0x00000000002B0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1784-625-0x0000000000170000-0x0000000000280000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2052-53-0x000000001B460000-0x000000001B742000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2104-565-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2168-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2168-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2168-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2168-13-0x0000000000A10000-0x0000000000B20000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2168-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2604-266-0x0000000001210000-0x0000000001320000-memory.dmp

                                      Filesize

                                      1.1MB