Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:48

General

  • Target

    JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe

  • Size

    1.3MB

  • MD5

    cfb6e71af6e06abbf0a43c41f75afa4c

  • SHA1

    2ec007bed8ec35c8a48b62f2620b05bf7eed77bb

  • SHA256

    d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2

  • SHA512

    aa26f2e7066afb1694dba0e5b9ba426ce0be1ebb5b78dcb87cb2beea43ba896dc311d88d20c2a134798f2755889f4170cd634b88df1f928ef15d4addc35c66bb

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d94196b6e505115ee655effe75994d4a249a9dccf70eb2b35f050dbdea61b8f2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FShK27bb29.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1848
              • C:\Program Files (x86)\Windows Defender\cmd.exe
                "C:\Program Files (x86)\Windows Defender\cmd.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2012
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
                  7⤵
                    PID:2236
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:1748
                      • C:\Program Files (x86)\Windows Defender\cmd.exe
                        "C:\Program Files (x86)\Windows Defender\cmd.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2164
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
                          9⤵
                            PID:2696
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:952
                              • C:\Program Files (x86)\Windows Defender\cmd.exe
                                "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1732
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
                                  11⤵
                                    PID:2076
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2452
                                      • C:\Program Files (x86)\Windows Defender\cmd.exe
                                        "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1704
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
                                          13⤵
                                            PID:1856
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:992
                                              • C:\Program Files (x86)\Windows Defender\cmd.exe
                                                "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2592
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
                                                  15⤵
                                                    PID:2628
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1328
                                                      • C:\Program Files (x86)\Windows Defender\cmd.exe
                                                        "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2308
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
                                                          17⤵
                                                            PID:2272
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:936
                                                              • C:\Program Files (x86)\Windows Defender\cmd.exe
                                                                "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2260
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
                                                                  19⤵
                                                                    PID:3048
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1504
                                                                      • C:\Program Files (x86)\Windows Defender\cmd.exe
                                                                        "C:\Program Files (x86)\Windows Defender\cmd.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2876
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2708
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2772
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2700
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1032
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2968
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\smss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2560
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:884
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2580
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2576
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2964
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3020
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3008
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2920
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2952
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2568
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2236
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1488
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1912
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2144
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2328
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2076
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2336
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2168
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:604
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2468
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1732
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1252
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:784
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2332
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1976
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1036
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1456
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1096
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:932
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2484
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:716
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:372
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1860
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1680
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1008
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2516
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:544

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  3f0bec0e2764b536ae1f07d170eb50e7

                                  SHA1

                                  7a502cddf69c3be2889c103665ee956ed1c3b435

                                  SHA256

                                  4e95680d3ec5a8101cee4eb308d73425fee24b7ed47e62f1aa7ae94487340e13

                                  SHA512

                                  a9d1b2796023826d8afc297e20d69aa70a8a5040915412db3eb143b103b4952f06667186998ad024e3b268a3b4c08b3f1aa3e7a034bba072113ff5ad72ab0532

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  93a12216d37e0398ce9af0a9013cd4f1

                                  SHA1

                                  bcfd8b0e0974e730fd4100ab15a6debcf80c5c7d

                                  SHA256

                                  a90106ceea0c446e7cf33661fec254322c0b14d5c6bc7bae81d7f5ca4b2eb7e9

                                  SHA512

                                  59c25b571d403b3dfe9e46e4616639409fd8525dc29e3f815996d5751eccf8712760f0c792948b7b656e0542547f7e8202a6e81ea9c32b945d75d0ac98ea1b19

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  0b6b06e7426f31017676bfadf6df9d2e

                                  SHA1

                                  9c9521f9d3af05d21e2782d58d2cd12a423b2a81

                                  SHA256

                                  a9b25e47445ad3064b750a1d62dbc41c509010e2ec0769972c90be42bf39dd9b

                                  SHA512

                                  392c67bd0665cf1f5a5a7643daf6184e442464f2765ceccd83761f4a24f5d13fff3291d62b6c863398dedaa30eb9e9f33b8e70df05c1829fafda0ecefb71e865

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  3ff0095ebd0365f02bd710e4b5b59cf9

                                  SHA1

                                  bfd4aa1e0169abaeeea7713babbcf5916b7bd526

                                  SHA256

                                  bfd436a462ad7a6edf239eeaad734a4b03363aa5739964630efa27e9be7060b9

                                  SHA512

                                  6c7cd5280a110bd3a17aab17897a70de871f0d06a54020ad6561355153716dda5d6a797195673608306c31d0d90fbba590189f074771f7b5286921e8c432372e

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  944acef8328c621523011fbc5205409f

                                  SHA1

                                  4a2c46896e3f5d08f21114110c3cc7a61eab438c

                                  SHA256

                                  bae52abc3b274f5442a9e76d2c66f0f81533710fa06096c2fec671f2c51afbe6

                                  SHA512

                                  e3ada222e6065e615be2de5a299a9a162b94071ac7891c45951aafc64cb5b973f8bcdd5835b003ddded9c13a978b2faea4a44304a75e7c1f4d02fe76fc5267a5

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  342B

                                  MD5

                                  960fe980d5328d506d6cb7e86fc92a90

                                  SHA1

                                  c6b77be6c10b66461b922fca098c6d805f98c662

                                  SHA256

                                  b53914e24e0f42ef11577c4ad51e15ec2bca08aaaa05860622b2a132e689b637

                                  SHA512

                                  42173b3a272e18dad79fde213a7b95200a0595565b1c76055c032174b98786bd95cd78571c46e69512104ee3b6b0d1075aa1f3d317b6723fb103c70d869c7914

                                • C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

                                  Filesize

                                  212B

                                  MD5

                                  e3af4974f7818b0e217e700f4c1b8d2d

                                  SHA1

                                  f39008c3e60272e69116c1beaae029e79c552a24

                                  SHA256

                                  b6f9621ad7cf9b5f5362bad0bc37f77de1fe7093d262631b374be75592c80151

                                  SHA512

                                  8d56b8682a3560f7b822f7a2b2aca4f0ddac1c7789edff6cf06d17d2f015fdadc64441cfe2e2a6f1eb04115db22087ae6cff7f482f6acedb2228d17f6cb8d029

                                • C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

                                  Filesize

                                  212B

                                  MD5

                                  5365239030e476e60d55686e3003bba0

                                  SHA1

                                  529a726f5b7d4f03fdea78465468800dab502063

                                  SHA256

                                  73fb342f61814912b434a4b6bdd5fc9b1c5c49e3585407638d16e06eaa104990

                                  SHA512

                                  e863954a04a97fd61e84200bfda8286312ce6b32a6c3b920a6cb0071f3870b8146b89c0dd811b49f5fb26c092353d3527292d1479b8e61e8d1bbb4c9cf97c1e2

                                • C:\Users\Admin\AppData\Local\Temp\CabE86E.tmp

                                  Filesize

                                  70KB

                                  MD5

                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                  SHA1

                                  1723be06719828dda65ad804298d0431f6aff976

                                  SHA256

                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                  SHA512

                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                • C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

                                  Filesize

                                  212B

                                  MD5

                                  a759f6dce4bcab5ae044348e7fdd8365

                                  SHA1

                                  46b8c9eda21ef6e85f5438b38864b0f88a6df4f7

                                  SHA256

                                  7c47da8befac8f4fe0c020576eb948bbff4204b3e43356893caddb1a22d05966

                                  SHA512

                                  0aa0c1323095c2230d9f6c5caf418332a83fb6f3e3ef023bd438a8ed55852d1f80fb7bec728f0fb7aeb9c89f8011c6f9098c99f6fa392772c5742b0ba7869800

                                • C:\Users\Admin\AppData\Local\Temp\FShK27bb29.bat

                                  Filesize

                                  212B

                                  MD5

                                  9fb22bd0ac4122f1bf6c747f7164c34d

                                  SHA1

                                  c174114c2fea481cbcdaa848772795c33282204a

                                  SHA256

                                  787480bb5460633af5fb8f8884ba362269fafe40c12f86afbfbef636e4067c24

                                  SHA512

                                  bdc720359bdeb22981048112d6d89d44cabaacf95a3aec730179c6d5c32dcbc6401c1df4cfced0f683ed188aa434600f77d06cf1d3d8654c8b4943513cb80bed

                                • C:\Users\Admin\AppData\Local\Temp\TarE95B.tmp

                                  Filesize

                                  181KB

                                  MD5

                                  4ea6026cf93ec6338144661bf1202cd1

                                  SHA1

                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                  SHA256

                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                  SHA512

                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                • C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

                                  Filesize

                                  212B

                                  MD5

                                  75753dc2d04d5173bcbc1bfba05ceb45

                                  SHA1

                                  da9b0ba7f3d1248e88fe4c9d9a0df20ded057b20

                                  SHA256

                                  a1cd968bb88338e55aa3c371fcb0419ffff1d1d0a8a8ba6d1df71f9ae2ffb4aa

                                  SHA512

                                  94b53aae4e58b9002e965ab8255c2d75c47d0f6aaa2f1d18a34a20de1c4c1ec135a022bf3ecf86fe73acabd85b1d6f80fb2ee1901157953b59b53884b000cebc

                                • C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

                                  Filesize

                                  212B

                                  MD5

                                  08d17398c7a263c8ff6e99099223da2e

                                  SHA1

                                  321fa52e782f144945de38680757dba9ef510d2d

                                  SHA256

                                  6dffe1618499bc20b41681dd288b78ddda0a1e89ff5e247f43e6a4e639cc0c7a

                                  SHA512

                                  427d8602608fb80a0630ee32fc2b0a1acc83c38e1e639bf3eb31c5a00a1ae3b4e26a901ec193bf5f0d76472fd3659a8bd55e85d5456691f024af3297bfef10c7

                                • C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

                                  Filesize

                                  212B

                                  MD5

                                  432ca339e4c9e1c6cf861e565310c582

                                  SHA1

                                  c266f9a96ad4f3b943fd76867147ff9de150d06a

                                  SHA256

                                  fb17da412c97714f8a70a2605c49469da6e6b0d4c390e71108a64a810ba7dc75

                                  SHA512

                                  6d056d3d9d38cf94dfd951d340a76f7980e3b72356c54d7a45a3763e9e6c33d82aeba81b9739832e61ea3fc8cfcb02400257dbc18aa2b50ee403bd0e39d1f553

                                • C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

                                  Filesize

                                  212B

                                  MD5

                                  91f4f726fba2fa4901991725b255e08e

                                  SHA1

                                  0fca474f07376ba7136ebad422eb8efa4f32a444

                                  SHA256

                                  9c216c8b3ceb49c7310043676df55349e08cd5dfaa67967148d75ba811335bc8

                                  SHA512

                                  153714b78cd791ec6c8391cce8d5e42a06a0d80c35a8a6c2c800d2d78c139e20b452162264c0b6b87549d00e5101249c1300454200b65163a2a02f76a48eff01

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  9efc894bfda8d5dcc6a23408db304071

                                  SHA1

                                  81d714c00af9a70d43d5768762f843f269ccfa1b

                                  SHA256

                                  37b0fa096e9bb7c0c0bd50fe164e71b7bec117570d6fb54fa129129a94e6b9eb

                                  SHA512

                                  e7c76a7ef3bb9488f24fa464d9e834514a8e53ac76feadb484e38675a96e81b7e444f439ab4ab5fe40b5c0053882d118b9a96153de742189f94d2f8f75fff159

                                • C:\providercommon\1zu9dW.bat

                                  Filesize

                                  36B

                                  MD5

                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                  SHA1

                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                  SHA256

                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                  SHA512

                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                • C:\providercommon\DllCommonsvc.exe

                                  Filesize

                                  1.0MB

                                  MD5

                                  bd31e94b4143c4ce49c17d3af46bcad0

                                  SHA1

                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                  SHA256

                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                  SHA512

                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                  Filesize

                                  197B

                                  MD5

                                  8088241160261560a02c84025d107592

                                  SHA1

                                  083121f7027557570994c9fc211df61730455bb5

                                  SHA256

                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                  SHA512

                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                • memory/1388-96-0x0000000002290000-0x0000000002298000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1732-249-0x0000000001140000-0x0000000001250000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2012-129-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2164-189-0x0000000000150000-0x0000000000162000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2164-188-0x0000000000160000-0x0000000000270000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2260-486-0x0000000000820000-0x0000000000930000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2276-84-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/2784-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2784-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2784-13-0x00000000013B0000-0x00000000014C0000-memory.dmp

                                  Filesize

                                  1.1MB

                                • memory/2784-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2784-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2876-546-0x00000000011A0000-0x00000000012B0000-memory.dmp

                                  Filesize

                                  1.1MB