Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 21:06

General

  • Target

    JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe

  • Size

    1.3MB

  • MD5

    596fa7efb6978c8cb9463f1b9f362284

  • SHA1

    2fdac4fb18abdb83cd16c1a6d4cf7d48050e5003

  • SHA256

    afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2

  • SHA512

    68dffb7d32b027cd142dcdd88bd973fbb3b4fb5759e6faf2a72f6072da1a710da4874a0e0e6ca6facab3cdbbffa30aa10e2da4291cfe4ae1097021f0f651c567

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afcb9eca113e024882261c3f92504ef92f683793423af7bc22e9453d7a887dd2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3488
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3812
              • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2140
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4408
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4808
                    • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                      "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4216
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2728
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2608
                          • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                            "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3260
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1560
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4084
                                • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                  "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2368
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:5116
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:3520
                                      • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                        "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:372
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:212
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:1288
                                            • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                              "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:4012
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
                                                17⤵
                                                  PID:1452
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    18⤵
                                                      PID:4880
                                                    • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                      "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                      18⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3976
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
                                                        19⤵
                                                          PID:4356
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            20⤵
                                                              PID:2992
                                                            • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                              "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3252
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
                                                                21⤵
                                                                  PID:5052
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    22⤵
                                                                      PID:2744
                                                                    • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                      "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4540
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
                                                                        23⤵
                                                                          PID:3372
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            24⤵
                                                                              PID:2372
                                                                            • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                              "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                              24⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2972
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
                                                                                25⤵
                                                                                  PID:4244
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    26⤵
                                                                                      PID:5116
                                                                                    • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                      "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                                      26⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2704
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
                                                                                        27⤵
                                                                                          PID:468
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            28⤵
                                                                                              PID:4036
                                                                                            • C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
                                                                                              "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
                                                                                              28⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1224
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
                                                                                                29⤵
                                                                                                  PID:852
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    30⤵
                                                                                                      PID:5104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3960
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2280
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2400
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4556
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2084
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4768
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1660
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\unsecapp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4292

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            e094d3dd06d66000f1ef728ee6d8e60e

                                            SHA1

                                            4aa04aa09fc2aee0a44317f7f2a9fdc9325dec63

                                            SHA256

                                            afa28f5bd38e21db0f71e21be34a6f7932e70ad80e2d3edc26fe1ffab231ce91

                                            SHA512

                                            9c7d86abb71d17b992ca5aa474e492e18172068462512c7f4fe542b5e3674577fb48069f217a7f4ec1f2fa6edad64350ec8ddaccfa8200651b4d909c377ef3bb

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            62623d22bd9e037191765d5083ce16a3

                                            SHA1

                                            4a07da6872672f715a4780513d95ed8ddeefd259

                                            SHA256

                                            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                            SHA512

                                            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            2e907f77659a6601fcc408274894da2e

                                            SHA1

                                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                            SHA256

                                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                            SHA512

                                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            d28a889fd956d5cb3accfbaf1143eb6f

                                            SHA1

                                            157ba54b365341f8ff06707d996b3635da8446f7

                                            SHA256

                                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                            SHA512

                                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                          • C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

                                            Filesize

                                            227B

                                            MD5

                                            d6ea79763abb435a409149af33cf304e

                                            SHA1

                                            5b15b5c61792dc57f97856ef2af3ea4310ad0ccb

                                            SHA256

                                            306ed6eda5a185ada0be5a6198fad95698ce0fd5cfaea41ea5a0fe38a305a4cd

                                            SHA512

                                            73da283dbe29019d6e4537a2e78d996c37877da296e96e7a0804a774d1104c0346a93dfaf25ea8e04c6aa2f53056899c5acb21e43429958f4ad65fafec30a062

                                          • C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

                                            Filesize

                                            227B

                                            MD5

                                            b2b6d9f8c0eb5aca61ead84c7a233d0c

                                            SHA1

                                            f5535b0abf5b34c45e7672b631e30d762dc46c94

                                            SHA256

                                            f9a3a86882cf7024f95d3efaeed73d168206c1b4264b7564db52852d08c0b1b9

                                            SHA512

                                            14f75fcfcea8be19dbc7e451e30f56b132b9ceb400c8bd206bde18480644d13dc9ea8ff54189fbd291d20cfc5fa49e6043e27af13bd573729cf3d32a11b40678

                                          • C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

                                            Filesize

                                            227B

                                            MD5

                                            71256b45f41621692ecdadb9e41f02f9

                                            SHA1

                                            88db31ab00ff1e8dfa895f6f1c48ebdf7c39a5c6

                                            SHA256

                                            b454c83d13076f045e48f84d882c00e3238ce0c1a3ae384b28eebeaba1cd30ab

                                            SHA512

                                            2252554ccfe263a4ca1eacd6068e6a5047b062613d66abc68a2217901688adb1e2f0618f71bb82cf34d962c191dc744f25b77c9667fbb96dbe9fbee9b26f648b

                                          • C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

                                            Filesize

                                            227B

                                            MD5

                                            0911d147f23187baafac2a0b591fc813

                                            SHA1

                                            3f880007ee0fd10a14f5aab14c118d458404287b

                                            SHA256

                                            fd937902c3212faefae523499085526165408645f791428904e53f2c3bc6e7f8

                                            SHA512

                                            3cbf83d5a90e403bff10398b1aa70ec3f9e2a6fda1e7f543900d9c33b0ed0c80e12dd763d866a7c7fcb8d259b8afc4989869cffd93ccc05d13d1a2387ce054b8

                                          • C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

                                            Filesize

                                            227B

                                            MD5

                                            a446aeb11fe4713fe2dbc706e8d5aa76

                                            SHA1

                                            a5975b593a1e41fcc89672c91e651be5e0713bf6

                                            SHA256

                                            dd503e63f6e0ff64c9ad197d9f4307527488bcf2bad3f9028d14078814aa083a

                                            SHA512

                                            3e2bbde2d4be39c83d70b9ad54fcabc6b25d453cc2c19799abbcdf4772f024731d8d00108d8ac456b0c696c6837ddf6edba0b64984a05584c4c4f2f40afc77be

                                          • C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

                                            Filesize

                                            227B

                                            MD5

                                            3a9c0c4e62162b9bd56fdb4303c8c24a

                                            SHA1

                                            87e2e89d006919408e5c115c070beac8917f11d3

                                            SHA256

                                            1f6d810dbdecb32edb060cd80c53cef1e0380e0b0b9c16cbdae93efca970deaf

                                            SHA512

                                            17710c8443d067f638abcbb2ef6cbf1ca557dfc61b709c46d06ee114db4fd21472ccbbb6d407e63600f111584b08dff48abc51a8aab895200a88dff7c1419a30

                                          • C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

                                            Filesize

                                            227B

                                            MD5

                                            dcf58ff7c9e15e83af4abb41a7d802ca

                                            SHA1

                                            614a74d3dfd83b3e0f57fa668c91fbd0dc4c198a

                                            SHA256

                                            259c11696740981b7eed6d27be6000af9db6d898a4bad67d56273af98411b2e9

                                            SHA512

                                            6e64ee00d4789f7365e64aa7051efabc23ca21e2b3b56d0ee3f992542470950bf810bcbbfed1bc4864d0e08472fb8e49e9192e413f567faed7d99c5843520f2d

                                          • C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

                                            Filesize

                                            227B

                                            MD5

                                            dd6575af5b036588940142882360385b

                                            SHA1

                                            8131ab0f506f2b2451cec0678b5584d56cd61c5b

                                            SHA256

                                            07279addbec620fcb9da93ef1fa3aa5708f17b24c574591f565742a5b8d1260c

                                            SHA512

                                            0190e01bd0e8aa9abf945717c0f509f10aaecc35747f260de3ebde2ae6e54cf2c2944ffb6a14d100eeb552bcb50186f09d1ba3a11ac1983f9871885eac9a66b3

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mx4yvgir.z2k.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat

                                            Filesize

                                            227B

                                            MD5

                                            ab9cfd2312e2561ea66f9c149ce542a5

                                            SHA1

                                            b8fe117af816e6ab3ec06ad53314df685248f920

                                            SHA256

                                            6bfed17e34c580b898c278b42f169f5c13c47c9d9f5780386448cbb720c8c99e

                                            SHA512

                                            2b1c0ed48517f86727074dfbdac23dc7fcd65e7c5f73776e7f543f0295ea273f66709794cc81a10fd0181bd43507efdf4313c34215d7b5f84d8983446c7c583c

                                          • C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

                                            Filesize

                                            227B

                                            MD5

                                            cba7e059a10289179adbef379916a5a8

                                            SHA1

                                            407f122cde753f5d313ee25781bea9b6d42577bb

                                            SHA256

                                            43e6ca4e10374a6aa3ae0dca12d2d37f76134f971a78447af93022a1c07bd3c5

                                            SHA512

                                            10bfc65e26989645f8d7ff42f444401cc8f63953402e0429ea4bbdc735d26377226202bd9a602dba6ebd8652717181dc3cf74a8f337a94a819ea8cf3e5067ffb

                                          • C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

                                            Filesize

                                            227B

                                            MD5

                                            308efd3cb65e8223f0567a85483dce13

                                            SHA1

                                            a560abd26c59df2cba77587a60507b32c5e5b1bc

                                            SHA256

                                            98bbef3b536ac70d13713f49d33a88aba99d4effa52c7d2a07e4fbca9d5d5491

                                            SHA512

                                            66ede5971a359c6e86090c1905729ac79015b40fddee5c5e592096f18091f1ddc4e27cb179681ea05091405bed96b1ebde49c4fd402cdd5ba833e294293a63f1

                                          • C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

                                            Filesize

                                            227B

                                            MD5

                                            96adaa1686141a9227379abfd14d2c23

                                            SHA1

                                            92e6258e8235689f2ba6958bc11bc85b6e56b2e1

                                            SHA256

                                            b08dcd4a31e413e63d37a2e86d78558799ee35fbaf1389d0655842b4f895ca68

                                            SHA512

                                            f5545e7c92e0366e05d019cb49591c8f7d7e2ece44fc701432c63619acb1a25dd5405a46d516ddc496072d9a441e08a55046b281aa376b4e99eae2742c46e1e4

                                          • C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

                                            Filesize

                                            227B

                                            MD5

                                            184901647ec4d2fa7e27961917a64aa4

                                            SHA1

                                            eedaa76baa434fce4ce17b905f86a15f48984688

                                            SHA256

                                            96941b86b00eea3255c913ea193fe3217ff474168187042c2db6c57cdb6fec2c

                                            SHA512

                                            1f70b6319ac7545241dc82fcf75d354f31edafcf27fe6523ef3886e4be4fdf25644e1730714c39caeeebe6eb4fd19455d25b9ab5a33111ed9f3215e2117f849b

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/944-45-0x0000029C203F0000-0x0000029C20412000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/1224-229-0x000000001C7E0000-0x000000001C989000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/1224-223-0x0000000002E40000-0x0000000002E52000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2140-151-0x000000001BB90000-0x000000001BD39000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/2140-144-0x0000000002320000-0x0000000002332000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2704-221-0x000000001BEC0000-0x000000001C069000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/2972-213-0x000000001BC70000-0x000000001BE19000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/3252-199-0x000000001C360000-0x000000001C509000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/3252-194-0x0000000002B30000-0x0000000002B42000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3976-191-0x000000001BF10000-0x000000001C07A000-memory.dmp

                                            Filesize

                                            1.4MB

                                          • memory/3976-186-0x0000000000D00000-0x0000000000D12000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4216-159-0x000000001C980000-0x000000001CAEA000-memory.dmp

                                            Filesize

                                            1.4MB

                                          • memory/4216-157-0x000000001C980000-0x000000001CAEA000-memory.dmp

                                            Filesize

                                            1.4MB

                                          • memory/4540-206-0x000000001C5F0000-0x000000001C799000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/4984-13-0x0000000000090000-0x00000000001A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/4984-14-0x000000001AC90000-0x000000001ACA2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4984-12-0x00007FFBAD013000-0x00007FFBAD015000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/4984-15-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4984-16-0x000000001ACB0000-0x000000001ACBC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4984-17-0x000000001B4E0000-0x000000001B4EC000-memory.dmp

                                            Filesize

                                            48KB