Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:47

General

  • Target

    JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe

  • Size

    1.3MB

  • MD5

    40f0e9d4a2fa4beb2b6bbfad4db622c0

  • SHA1

    e8c345112ba9f492956dc1cc5d3b5888059f5095

  • SHA256

    67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3

  • SHA512

    ecbd1972978eff67eea2b28d9774bfd9af839c5fbf157d65cf0f5787a5d14feaf814c11fd7e06b85ebd63a136877945862fd29192a40d5bad46bce25beaeeca0

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67128e92034a2f427a585b15f1c8883c51b174e6c90afea51797ed91e2b8e9a3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:916
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1240
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1748
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:876
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2268
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2804
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2536
                    • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                      "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:840
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1136
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1652
                          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2248
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
                              11⤵
                                PID:2208
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1476
                                  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2164
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
                                      13⤵
                                        PID:2156
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2716
                                          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2692
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
                                              15⤵
                                                PID:2608
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:1996
                                                  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1096
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
                                                      17⤵
                                                        PID:912
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1316
                                                          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2600
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
                                                              19⤵
                                                                PID:880
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2876
                                                                  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:876
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
                                                                      21⤵
                                                                        PID:2700
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:1572
                                                                          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2544
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
                                                                              23⤵
                                                                                PID:1724
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1036
                                                                                  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                                    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2500
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
                                                                                      25⤵
                                                                                        PID:764
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:3052
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2648
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2624
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2988
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1096
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2420
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2488
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2308
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1928
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1424

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2b506c8157a808cab58f7913e061d182

                                          SHA1

                                          fd92ccffc0cc05523208591743a12d890c42d736

                                          SHA256

                                          8177fdae98deda849eae912e181f0895062ddea67570a23fa562a39568654878

                                          SHA512

                                          aede1ca046dfa052405a7cdacb0c47c442785df0643b787902ae5f11119b0db6b003d301566fe1336081a53ee8503aa21fccbaa8e5649b876dd5c693573957dc

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9621dbd6cbe48dc81972bfa0d260a3c6

                                          SHA1

                                          44b96b6bd22a8026d45f1ac3ae1b42efa6915875

                                          SHA256

                                          9f85476a48672f9ee433d4a2c046bb1288800a60df94d8c6f10d04cef49e30de

                                          SHA512

                                          4d88d1078064de49e23a0537cc29185929f1fce080c35ee40e44658f6d806bbc79fd14b77cd014918cb39161402d86f0887f6825a93b31f1c5a4f42fafd869da

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8204810454970d6717139cdbcef46a52

                                          SHA1

                                          c646db3300138bd3df465ab0fa39c02ff04fbe7b

                                          SHA256

                                          1f0421326e98283217132b0a36936b60b7e3c1d8ce57bde636538d61c34c9fe5

                                          SHA512

                                          6a9d149edba8ad048d942fa7c614208ce1c816a6038e94cea8b9f023775ceca4b796b63bbcb7b84cb9a50600a41d3128835a4dea1ef37b943efa0cf9d593483d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          67200887fa06f5b464dcac524ad1475b

                                          SHA1

                                          32dc400792b590909962f971609c9a0bd6b78c73

                                          SHA256

                                          b2521ff0cf3e799743eeae0c2867455b43355691df370b01551c48595cde8bf7

                                          SHA512

                                          9c0ac0146cedc7e47520b9c5c28a5d994437e487c0e83d6cd2e9c54b175d848763c1f2e987f109f53816e921101f244363a5bc354524b1ff58e508e0d1e7fad2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          759a6ab927e8943d13e800a0ea45f537

                                          SHA1

                                          a7a3cb732da409d951bdca0b329ede1b5290ad12

                                          SHA256

                                          1d758a9e0b3855c2b2082d4fe13ae0efc1006966e883a23c927752711692352e

                                          SHA512

                                          e7391893d348940da8ad9c4ca117baebddff9b6a1914fcb868285892bb29cdb836418c4a3215d22bd0c9a81fa0b0635afd4534a73cf63e766b34e573d9fe804b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4a752cb810b61aad6661c0e67cbcd607

                                          SHA1

                                          cbe70aa09b327cc09c07d26a0e16c7fd984e8178

                                          SHA256

                                          a3cfe16e1e5f775157b45cc2920909eb6575733f9de3d4338323ed42446ab9f0

                                          SHA512

                                          20111f5bd196b043e605d12577884962b6a9a4a692fe9a31d1eeccfe1f4ef7ce86b5e60a3624518b00940d6812d2146b49920d27f342b4a35244a9a5258d4af0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          dd7a5a8229f4c3a682ac35d95a1df8ba

                                          SHA1

                                          fe2a54ae1b0cdbe3099a9de696301e633f2f1a53

                                          SHA256

                                          8b2b07ca6fd8550b64bcfecaea19b6253bbc146ad9de31c7622a197c7eeea8e5

                                          SHA512

                                          532c3ef5316a524170854f7d5be509b21c146751cac21e0d72487eae00d6e8054e5d393ff42ddcbc856f308c7be8000fd35715d2ff65f5384fd9a2506f43f110

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5d5827cfec42e2faf03b5c5dd3daa4d6

                                          SHA1

                                          554c3f21403346edbff1f15c2fa18d15d2eabb3c

                                          SHA256

                                          5c4dd975be10bd741db8bfd07a2c7f193a3530a60b502cea91d4901a8fbe304e

                                          SHA512

                                          d5c6e7387c69fd815c981fc4706977461a381431c70d5a2fe4e2f6e55af2db5c85bcecdf9003afa1824e27a39632d048f1795db9086daf26f81e9703efea636e

                                        • C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

                                          Filesize

                                          239B

                                          MD5

                                          dd85afcf238a2227745e665ef1c99fe7

                                          SHA1

                                          11caec3dd1b1d2d8060486daa93355712e838fbc

                                          SHA256

                                          4aae00c97fccd856bf26e59555269e38e87d7309c62a2f46d29bc4cda4e847a2

                                          SHA512

                                          016b92dccbeeb0ba36f6d3d70ec3296039adff63f9d38f24d7bd7b3643416620da66ea34d62f48b85ecbf48fd3398575eae792dcba2ef577ffd46be7f18c7be8

                                        • C:\Users\Admin\AppData\Local\Temp\Cab2232.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

                                          Filesize

                                          239B

                                          MD5

                                          b60ab2e49302363ae654944ae9ca7f41

                                          SHA1

                                          9b38a494fc3edc580b80924e0f2cf6b36a994f46

                                          SHA256

                                          605864139585764f4556d2e496620bd024be30918710291ccc42437e34398d5e

                                          SHA512

                                          247122ad5d0461dc11d50fb37d7a50622b6f40e6e363cea78dc6ce9c6f573a79246ffe750cc2cc852d1870056df8ee50fb1dfb3cdc5b36aec723620b3f0d4b55

                                        • C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

                                          Filesize

                                          239B

                                          MD5

                                          aac635249f88c7fae453cf7fa93d4aaa

                                          SHA1

                                          27bdabc729a17ace887ac729e28e798d390a7f04

                                          SHA256

                                          a1eced4f4968c057814934fbbc7a727891e941114326224bc8e8a17adfceb2f3

                                          SHA512

                                          a40a1b44cb40c28f299267c0327369282087b4577db2a38e5b61075ff89547c84fd906a86528ce1644bed5e0059ab5e1f3aaecc8820536813d20313941f2ceab

                                        • C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

                                          Filesize

                                          239B

                                          MD5

                                          9cf4dc790aac380ff7b9567acd91290f

                                          SHA1

                                          41a84fa9d659811bec00ee99f2f8381ee5366c78

                                          SHA256

                                          f66ebad38f9cb1dc42e677f35bd85f6316daa64f77ffcdf457f2b14bce648950

                                          SHA512

                                          2a2cea5b2e91dfbd947cbf615da994e35ae80ee84360f1d210acd6a74564b71d72caea785d57f61f5a96c03c20b0468efc24b23c43b24f2dd829e2c5cb19a2aa

                                        • C:\Users\Admin\AppData\Local\Temp\Tar2255.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

                                          Filesize

                                          239B

                                          MD5

                                          3c8f561e8dec7f8e73e217b17420d7fc

                                          SHA1

                                          bc9467190d4b910dca534879ffc13e77caf9387c

                                          SHA256

                                          28d28615c6775cb7216b3a2f60fc033d5c05d5b8738e0965623dfeea068b491e

                                          SHA512

                                          6e80f1c73637ba120e106438390822f32244216da8d7d851aa58851c98788f310463803dcb2ac5ac10a45f45b4838f2b04fc6d23b2d1b22bbb97d0239506ef06

                                        • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                          Filesize

                                          239B

                                          MD5

                                          3725c4b0e4e6d99f799e7cd4850df3d6

                                          SHA1

                                          031b8114f7d8f1aac9663c377d1729b3e13c89e1

                                          SHA256

                                          8c24f0d8c626e0282b9ad8dc741a2a1af9d173ddfc61f228a5e2d7ee69c37911

                                          SHA512

                                          a99d270f3e3edfef0be6cf97cc7d044b13025cabd00c5ac3677102503f34eff2ce8cffe83d6bfd19d9117472df66fe1aa25e16d1f5dbe9a6623dfaa828a9f3b3

                                        • C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat

                                          Filesize

                                          239B

                                          MD5

                                          0280d1bde313fe1627ac3af861490f5e

                                          SHA1

                                          469a2731069cc58f155d01c77dde7f6a3416ef7c

                                          SHA256

                                          ca682b3682b6f2db54cf58a3802232f99877b629bb65ad008f28b179f0bb1cf2

                                          SHA512

                                          5930e3347508ef6c8d6021b299f53b1ae1b09d55d403f9553f7c43d66ba5e95adb3a7e3de5548af8a416a47388fa915d3de4329f139cc6b4559b0789418ebb4b

                                        • C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

                                          Filesize

                                          239B

                                          MD5

                                          8dc27d0c4cfe58baac9e0ded4613d179

                                          SHA1

                                          9894028de2002dcce65c2104c2a0633f2fc3fe8e

                                          SHA256

                                          e76d37c5219f56c3afd61923863b13c344a60c9d7cd0ebb6359b48d1d4fab084

                                          SHA512

                                          6308c1e6a60544e31fc819460478970ecd42a96bf3b1c79a0d1a9ffac1f51739f4f81617821926c6da5249383c84561461b1003858781ba74ca005e22f1c2075

                                        • C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

                                          Filesize

                                          239B

                                          MD5

                                          cd4a26e74dcc2e3e39312db3d4650e79

                                          SHA1

                                          d297e9889f36b3d79d935986ac2c9feeac0cfb71

                                          SHA256

                                          df1f69f4edfae6c8b0dde9fe458b235a0f67135ccc6065641b6cb40dbbb63056

                                          SHA512

                                          b7d3afb4f1f2a6a35d6b441b878a50b18fea6a8af7c99badddc3f77b50344b8dcbd8cfe6d8754b1dd9f9b0c236fe6baf97c1cca31c33af70e1efd99faa063f5a

                                        • C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

                                          Filesize

                                          239B

                                          MD5

                                          25102b5e9d92900753f2c96013c4f14b

                                          SHA1

                                          13e932fe824df2fe5a8e5b8a4cc5a4b9a66b939d

                                          SHA256

                                          911eec09faf03769588e36999f8ff61441684ffd30d4e1ff9bec7067e35bdcbd

                                          SHA512

                                          c61685f69ee045da772e2a2f2ce02135f60bd56f04018c81c0d2dabb65c315cbe1ddf8bd0ce0e29e5e2402bf01b7d2eaa0ca05ef6185fb082ebba49bc7bf540d

                                        • C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat

                                          Filesize

                                          199B

                                          MD5

                                          6a011852e0d3be244a1f0bcea3301037

                                          SHA1

                                          89e8c4df124970ae5bce7ae3656aefcb707f53c4

                                          SHA256

                                          19fc4b3a5625bd026323076d8fac86b2146574e08bd83da5cd59316e67987cc9

                                          SHA512

                                          252ee234ef65292c8fb497fea5a4f56ee27e1a1296cb0ed693711e60e37efe48a6fd0978eef1555189ccae5963c6b8d02f5ea9ac06ec0e80d7d01a303b0f2ded

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5TAN64W7KDMULM5RBHHI.temp

                                          Filesize

                                          7KB

                                          MD5

                                          d48ccf31cb450988749f6ab40cdfa397

                                          SHA1

                                          0a30fd05634edee2026023d3cf3bb4b43fcc30a8

                                          SHA256

                                          40e7af65f4b2dcda3fa788fe75a1e73cc25964bf1e9750d02bb9df69771d5381

                                          SHA512

                                          dcb22c84a5116624c3f6915f64c223ab8f4804d8387329a5c204efe0ac4c3733c53823246542347c562c7995ecd4017111d91221219cbd8c8e9e231c1567fc34

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/664-57-0x00000000021C0000-0x00000000021C8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/664-46-0x000000001B670000-0x000000001B952000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/840-87-0x0000000001300000-0x0000000001410000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/876-77-0x000000001B720000-0x000000001BA02000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/876-83-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1096-327-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2164-206-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2248-146-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2600-387-0x0000000001110000-0x0000000001220000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2600-388-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2692-266-0x0000000000F00000-0x0000000001010000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2692-267-0x0000000000350000-0x0000000000362000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3064-14-0x0000000000250000-0x0000000000262000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3064-17-0x0000000000280000-0x000000000028C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3064-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3064-15-0x0000000000270000-0x000000000027C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3064-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

                                          Filesize

                                          1.1MB