Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:47

General

  • Target

    JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe

  • Size

    1.3MB

  • MD5

    beb10c921f9c0ce310b2814a17ac8081

  • SHA1

    c1ac32065ad952b2789c79780e53649eb080ed39

  • SHA256

    f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20

  • SHA512

    ab076be546a19385c054effdcfda381d0cef648ad7b1460b25a5a8e51463743fb6efb27fe1c0b8547864f512fc89f35ce24a551fe73a1a25095b2cd123f97548

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9ef47350bc28d02ca8cc8a3cbe8918281b9bddd22ff3cf6ddce2e0338481b20.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C43fqAYO3A.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1736
              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3000
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:908
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2600
                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1576
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2620
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1944
                          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                            "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2368
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
                              11⤵
                                PID:2624
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1680
                                  • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2532
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
                                      13⤵
                                        PID:1508
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2608
                                          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                            "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1392
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
                                              15⤵
                                                PID:2888
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:3016
                                                  • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                                    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2416
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
                                                      17⤵
                                                        PID:3020
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2660
                                                          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                                            "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2512
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
                                                              19⤵
                                                                PID:888
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:1812
                                                                  • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                                                    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1860
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
                                                                      21⤵
                                                                        PID:264
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2040
                                                                          • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                                                            "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2160
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
                                                                              23⤵
                                                                                PID:1956
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:2904
                                                                                  • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe
                                                                                    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2824
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
                                                                                      25⤵
                                                                                        PID:2588
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:2132
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1748
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2988
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2288
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:888
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:304
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1300
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:264
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1164
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2348
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1484

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          73c75187597df2fdf5315928556a69d4

                                          SHA1

                                          247b34d17eee4cc6ef1154274aa7c8b2759bdf2f

                                          SHA256

                                          1b290e92123315c174b3b825246b102caa183bb8be426f454b485e492218cd60

                                          SHA512

                                          f09cb2c36689e7bab667866aca33ffdebacacc52e1598ad5ce3d8f403fd3acce74885badadbc5a12ce1b9bb01d925c23dcd1f54751434019d449989caa3f289d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a629484b4bb1875e07a6c3e52988fd1c

                                          SHA1

                                          295f7bf3d3893119b3849bbbdac7ef030d8a6a97

                                          SHA256

                                          4c17bd16a28b055b32bc515720d48c6c5a77072c180e6e38a0cfafb56e20dbb3

                                          SHA512

                                          684dacca48d54fb33358475537c9775ea8fbe6679144281513d24e16ea7807a4c351cb4b8dc44316d8a7c21eefecc86112146b1fdc2dbe35c4e674f635d6dc7e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f718bb9aa70c0890ddbc2dd133a44c90

                                          SHA1

                                          52e4f1745272cd719ae459630e1440f665c99db0

                                          SHA256

                                          8479fcddffe6d5212e45d2e6f1dc717904d75afcb59393ad2609d3338c566bf6

                                          SHA512

                                          a1d1754738a82c5dee4ee790f3b10e458366a4b91e93c3c1546e31bf07480bbd97e2cbcb87d4d631c0e22ea4dcfd0709ee4751425ad682d9c9b3bf889f5dd711

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          032c170805a842a436a3bc121c6ca9c2

                                          SHA1

                                          e597763e803066f8b24695a5f752a8ccfd310fac

                                          SHA256

                                          5d2409af6e44c2f5003352165661b0fe2f872d08065674919e7f34b1a6596373

                                          SHA512

                                          8119b265992a1170c8a081586cc1ded362371f77056075d011f44063c1d3231035a11398d11485bd1d466d79de805b3b72731cf693ca76bd9988a14f7ecfb833

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b79997c4eaac8dbb5c1a331c930d5815

                                          SHA1

                                          06a80c923a9fb4dc30c5642c6c5960d61830fca2

                                          SHA256

                                          446f6875cd2d6176c44da8d410afd4d1d5940fc9200fee6b389c285526c963c1

                                          SHA512

                                          6ac144845f7d737d9de385a68ca6104e5fa30e6521296c52f6327251706763f4f969d752ecc1c0f059a4aa142c18d67f8fc6e5002aa251f9cb64f3aa83baf020

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b10050f0291d5cf022b3f0f8cc0e28d2

                                          SHA1

                                          e370a470d710ca79fe715e2dcde4c907cf8a4de9

                                          SHA256

                                          a0740b7e75473de085628d9a476a6c3d8dfc1d67a45381502d71037863c261ed

                                          SHA512

                                          535d8efb14dd3077e2750169b355fc6f19b924ab29cef632934d41832c1d28575b25864ac733f361d1c6ec5d56af8b0b32d291349c8fd1dd393ca4e14deae1c8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          13b08bc1b99c2478de0b921018860f84

                                          SHA1

                                          babf76f93890fee88f5a715e5b50d2f0086857a9

                                          SHA256

                                          c8372e7cc4c8a4440172d02a64a7a34a0c65e80f777851ff3f532eecc8a85394

                                          SHA512

                                          f4210cab07b229d5bb31f5913affcb9227b3795b11bcdf2f071ba4d9bdeec4089742b4e15359559e067e153d77698c51afd07b66c18bfb00f1e58e287432efa7

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e40931b0ddee64f3fbf180f217df3de6

                                          SHA1

                                          b4b6abd40c219969adc9a8d8e9b79068e8289c4a

                                          SHA256

                                          0178fd4d0ea292000eb93fe05dec5f38a119a2ae9ecd457c2b91b469e4601b91

                                          SHA512

                                          af3cca39db5a960f56c859c7460ccb38a9db50cb706c1b80a72c9d376d59d5f9267482ccaafe63b571c023c2d4cd29a0fe859d1c0326cfe9973e064cdce69931

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          69872256ed92d942e11151e9b842d8cd

                                          SHA1

                                          6f66a4e60ed98f077d1800f81b0c704e07f2cc8a

                                          SHA256

                                          c6ae4d302f9eb908257a460f715df72f542cfd94897a3955cce83ee26d210fba

                                          SHA512

                                          11cc0a8cf78de1ff46894a8ee54a2dd37ae921aaa5b0c49b63f5042043b1906c4aaab906aa91b6d1e6153f970b74b2f994c1e05736e40d8bd10cde179e58ad93

                                        • C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

                                          Filesize

                                          225B

                                          MD5

                                          c679049073b2ae76c1d14e8e7991c230

                                          SHA1

                                          6942475c0fd5dc7e5665a79051a20ae36cd26f25

                                          SHA256

                                          af772fde9ff7396a434d0a59a9333c185dfcadd3e94ca093c9cf48304ba60c2f

                                          SHA512

                                          15cae3b6fc2fd928c4cc59664027a3437d23a1d4e9646dc4acd46ef538b1d5f6fa1d366697a2e598cf74f208368f4e2fb6c523952c7a7b6702d6d35a51d149a5

                                        • C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

                                          Filesize

                                          225B

                                          MD5

                                          fa699fbbf691c3780bb697fc3adefb59

                                          SHA1

                                          3c3a5acea63259d8ab41ccf2808cd354a263e4c7

                                          SHA256

                                          0113686dbbb6ca7fb7778203b03608069187b70c8e92525b4a4323af1cc43c8f

                                          SHA512

                                          686a25db372972b7b4f069aea044b2cdc7251238a831100fc5b60f7233d5866cfed7d67c908adae4fc69cab111439f9ff1f4e2018f1dc8dd7a67f71e9d6fe66e

                                        • C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

                                          Filesize

                                          225B

                                          MD5

                                          5d883648f684924cc65eda2319073eaf

                                          SHA1

                                          4ece378b0caaac5b9676b67bd062eddc2db028b7

                                          SHA256

                                          e61786d30a2e0ef193f44ba533ae2a375d849901cab03f79bc5392e1fb50a562

                                          SHA512

                                          d22e1956dbda5d733abaa698857db4f49a63f21425ff3c9d89de97edba80fffb9eec60adff50bc6cbd4c8c062035faba08e8f7b74a16dedee16cc17a359f4806

                                        • C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

                                          Filesize

                                          225B

                                          MD5

                                          0e3a31108c67051d6054a230c4a9d82f

                                          SHA1

                                          6734655a2e6083ddafd48fcdd719187f31524f06

                                          SHA256

                                          ffad0069062a78584c04964ed70401c5a52f3d78a79943f95b5a9feba44fa9d8

                                          SHA512

                                          563b8c72e359824545ce57dbfba42d6abdb937593791fbd3445f67d580d870a9a7d1c8fa43ec0545691fce3e59fb5e588aa1146f82eec636a97b4c92c6774c86

                                        • C:\Users\Admin\AppData\Local\Temp\C43fqAYO3A.bat

                                          Filesize

                                          225B

                                          MD5

                                          df9047f7e49026fa12018b059aab06a8

                                          SHA1

                                          0a7e0a223392e2fc4727a3c1f29b09480a3c062f

                                          SHA256

                                          1c5752745e5e9aa600a92aac128d70c0dfd9587272b698088ed2e248b6a2701a

                                          SHA512

                                          d05a5e28bbf398da5dfa16390c5f2e5a87e84ab9ee0f4577dae0afb476fe81c37757fc74bedb03e2b44b337c6ef5d57de4cb2d26253c075589bd0b0cf87e607b

                                        • C:\Users\Admin\AppData\Local\Temp\Cab27BE.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

                                          Filesize

                                          225B

                                          MD5

                                          895ff5a99a306ec5115e15da03f270a1

                                          SHA1

                                          f0553570338cfaf1d8733794844282e528229f66

                                          SHA256

                                          56c0b03436f76862e551613314ff3334d0f87d35f9eac32837b31a4e7b49ecce

                                          SHA512

                                          3ef3044a9b2076cd9c497964dcfcdd7450992c26859558767a8109e53a7081dbc98202d25d35b2b035565f15e014454eecd9b9d10f4a43c9428680e9980e5fb2

                                        • C:\Users\Admin\AppData\Local\Temp\Tar27E0.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

                                          Filesize

                                          225B

                                          MD5

                                          84305f35a3cc99ecae4b2949222f8b5d

                                          SHA1

                                          0186dd9e8448afd3d7adab9b777510553d7a1c6a

                                          SHA256

                                          6b50857d88c142ffe70283cfa271f6583b00717e97b0c20f828f8da08fec87c1

                                          SHA512

                                          7c2c3e8a1971441fe51332fa5c18a5472569e7da92dcca4d645b5da9c2a3da18ac4ec870566d6faa6cf40a7175091b3449c2af0f20a43750cf6325c99e230e3b

                                        • C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

                                          Filesize

                                          225B

                                          MD5

                                          f3edc19db6e2c8b3c92b9359420ea621

                                          SHA1

                                          15bd3ec32b21943bf550858b5f3f30f9e6048d86

                                          SHA256

                                          880b02d4b25ed4b8373877fd7f3971ad96b8d4e5c957459775e37cbca660f2e5

                                          SHA512

                                          120b7a01ac684bbd03de9640315834e18a1eb8695765ba2baa1d485dec37794fc3b3d89230dc1acdc0065347ecb3384deb24451eb5905baf1b3c459217b00e8a

                                        • C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

                                          Filesize

                                          225B

                                          MD5

                                          2b5814ec1c3b5f43d44d58e79e323d3c

                                          SHA1

                                          115087e6c77048d45d105c8e1119e39b4234293d

                                          SHA256

                                          e27e2f69a47f816cba77d3d29e5568c9a5f2cc3ef9ccc952768c0410d95b635e

                                          SHA512

                                          e8965867d9449e9e343de41ab89ad74024fde11815173fff802b8af83467d59018ab9df112c5667634bf9962385acadd68e71aefa503301d0df7820a756e6e1f

                                        • C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

                                          Filesize

                                          225B

                                          MD5

                                          1b9f35ac921fa5301549e8428f50fa85

                                          SHA1

                                          b5a35248e1f3cc734071d87eab2e0cf7536205de

                                          SHA256

                                          5ba0421078c1b635a7b9cc5e6b75258465c9cc6459370cb8d8f9dbcfd66ad4d4

                                          SHA512

                                          80b4b03d04273b4ea47f1eaf764015eaa5825632b8741fe15b6c6b66a5253469568a9ebc55db9af4a1449b63b8f9827897fce847d50eb08111a5fd8422851d9f

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          b5ba7f0c669d5ba7e36bc72388c15cdc

                                          SHA1

                                          49fbf6488999fcc7e64ae20f2c8f7ad5ed88729d

                                          SHA256

                                          0deede1df1dda2f6487daf472632dc9fd8a52c4f8cc0a9c9c910754817f84156

                                          SHA512

                                          fc85749c3dc60870cd911ec91be210808301bf6731f277d3566a94418aa6da60abc1e30d9a312387ece28bc5b70605519fb79ccefbb0fa06b7cf79abc8b4b7a0

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1576-147-0x0000000001070000-0x0000000001180000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2104-44-0x0000000001D20000-0x0000000001D28000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2104-43-0x000000001B780000-0x000000001BA62000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2160-562-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2532-266-0x0000000000670000-0x0000000000682000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2672-13-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2672-14-0x00000000002E0000-0x00000000002F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2672-17-0x0000000000310000-0x000000000031C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2672-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2672-15-0x0000000000300000-0x000000000030C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2824-621-0x0000000000F70000-0x0000000001080000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3000-87-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3000-88-0x0000000000340000-0x0000000000352000-memory.dmp

                                          Filesize

                                          72KB