Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:07

General

  • Target

    JaffaCakes118_6c1a0c4a1368c2d1e50ecd7a65a010e841406d69e3cf78bfe5de64010843f250.exe

  • Size

    1.3MB

  • MD5

    9ec57727d17589aa9bd4afa6191ee3d7

  • SHA1

    a14dffb2eca38fd4211e5c7bf7d3cde0f0bbf0be

  • SHA256

    6c1a0c4a1368c2d1e50ecd7a65a010e841406d69e3cf78bfe5de64010843f250

  • SHA512

    14079522ea9fceb293fd429ef86bed82b37721bb00c9bb9965da49beae5039bb4ea92da2f571aa8082617c1fd320be89596311c150678bb9a7ab4a3a34f04554

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c1a0c4a1368c2d1e50ecd7a65a010e841406d69e3cf78bfe5de64010843f250.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c1a0c4a1368c2d1e50ecd7a65a010e841406d69e3cf78bfe5de64010843f250.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMEJP10\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft\Protect\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sucoz4qpVL.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1708
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2020
              • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1272
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2800
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2592
                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2980
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
                        9⤵
                          PID:2072
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:1460
                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1304
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
                                11⤵
                                  PID:2228
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1448
                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1124
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
                                        13⤵
                                          PID:112
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1000
                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:308
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
                                                15⤵
                                                  PID:2648
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:692
                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:272
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
                                                        17⤵
                                                          PID:920
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1516
                                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2364
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
                                                                19⤵
                                                                  PID:2180
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:1728
                                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2064
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
                                                                        21⤵
                                                                          PID:2664
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1344
                                                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
                                                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2680
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
                                                                                23⤵
                                                                                  PID:980
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2616
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2704
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2596
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1340
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2072
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1132
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1768
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1716
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1896
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMEJP10\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1992
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2964
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2956
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2092
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1608
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2044
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3044
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:408
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\Microsoft\Protect\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft\Protect\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1840
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\Microsoft\Protect\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1664

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        319f4840edef6bc2d0ac0c5d96da2905

                                        SHA1

                                        80f385aeebaaf758fbdc1b60177da60bbdfabd6a

                                        SHA256

                                        9300f92df084cf72b6b30818e9dfeaa6c3e68c07e029ce68e6600e7da1326fda

                                        SHA512

                                        e88812496ad10b1d0c6656b1adbb858368622775aabee4d5ffde58ba2bc5859ce98c97647f199f8589f5f67c28b3ae3662e484f507418172d19232734af8208f

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        00872f4fbbf8a90064acd90dca3a6201

                                        SHA1

                                        f0d37e8ca444f56c457e45a126851ba8481ab442

                                        SHA256

                                        c3756d095c265216e646a97cdce924bb7337e2f2a1143ab97620ef4c06f03d54

                                        SHA512

                                        6bde575cfd7ef0dbde0ad3fe057d906ff296911f4c2bf25fc48e6b593644b97ecbc3aaa030d6a46694f9df88e3213da3aa18054bbaa83ec0cbf35d085270fb8a

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9e20ad3e3143a9ed181ffa4e03711176

                                        SHA1

                                        c012d852322155fee4843140d3fd09e53f323366

                                        SHA256

                                        c11b23ad3aa82b491188ca9a91a87213dadb3dc99a86dce47a100086a6e43f46

                                        SHA512

                                        e375ff14bc39d973064844de55b323aab6574e591db419e114e6017a945fb36f2590e37a26338fa9bedbb66efb10a5fbf91e9628a9d736594f1e0102d2fc1827

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        37e063fe48bb0a6957654383776a1da0

                                        SHA1

                                        03b3d0e67e8ec7ec4845c72aa1db4237d93ce0bd

                                        SHA256

                                        bfe01f09fdffdd2e52d90085819768b3ab341b28cf3f7cab766b14a9aa78acef

                                        SHA512

                                        69f078d71bd1fcec922597d802f45ce95595805830cb5155999b83b18acc29047be29a2956c14f4800e362665a6504f3019c23e09f4923dc310af767e9c16e1c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e0d2473e608d1d7f86f1dfe19fc10374

                                        SHA1

                                        55d4b4d62a4b3f19c9c51313d55368a39a464fd6

                                        SHA256

                                        2666dba58729884c3c9dd594d2443de0dfc0c77ab8a1c527d48cfaf495716d92

                                        SHA512

                                        6aee62c4e72cc5edcb840ed6def242b0c718957444810721690b89d68ea52a037d9687a8700dceb50b6f63162ac6cb7cccac3d66198f16533c6566228bb1196d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        7e921b73b7bf9e108134985846f4d7f4

                                        SHA1

                                        0f0c693a033a9dbbccaed3ab672886fa7ffe1da0

                                        SHA256

                                        8d421dedaec8b24ea3b60716995faa17ae0c9726482b2c4240f0a403d6520f94

                                        SHA512

                                        599d25983b20c33388b71261de094c997e25fbcbf8638361b2183c596e361cf6685717622181095e78a8c90117531029a959a3d16e507ca843ae5c5e38234bd3

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5c47bd0debbf1ea854ae640e3c1f913d

                                        SHA1

                                        10a28da258a53c8746abe9dcb65725e19c4bcef9

                                        SHA256

                                        f001178d8ab234669ad7792e5409b47bce7749964480916c66fc92d031851771

                                        SHA512

                                        6088913b2203bbfe5ed01d6648e87a1543f2e56a9f31133be610e762198c4d54a9dcdb150233258862fa21cb8ea6a33a909c4846e1c62a55ca0ce8cb3e52dee8

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        f0519fca9b70332dfde3d4bf53691dc8

                                        SHA1

                                        f2ad9e13003d1af53c571fdeeb0a920e8d7c9d8e

                                        SHA256

                                        6535d72535a94bc463a0ac847c4c306d50181ebe4b91358f3edbff90933390aa

                                        SHA512

                                        ba109945182f9dee2189cd0e753246a67cc6f5666cac19a4a21a1dce3ce1c367caf5d3c7071a77a5c89795198157b5b2679995e16fe52fcf7fc148f6380b84c9

                                      • C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

                                        Filesize

                                        236B

                                        MD5

                                        1926cf8846b837c96455c706805c9b29

                                        SHA1

                                        2085ccf12da0bb6d55bcd968f921a228d28d43c6

                                        SHA256

                                        d1a437f9a88175130ace7e3d7673779b4502f470af4a5e993a1141adefa62e73

                                        SHA512

                                        93e5c95bb6cd7f1ccf8e373ed9ef303401d1607123f65af39bbdf82b76d104cc33e5ae83be4ffb6242c515a195afd8821555cbbb8f7849b5cab5317dae529865

                                      • C:\Users\Admin\AppData\Local\Temp\CabBE.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

                                        Filesize

                                        236B

                                        MD5

                                        dd61295122b7febd8eda45b8d7c45206

                                        SHA1

                                        bc4cb66fc65d3e0812127ab2739626a08c8cbfaf

                                        SHA256

                                        a1d8eae492c83a557fbfcce4002348df7b7dca201b35c1f000fe5bf9d9033f09

                                        SHA512

                                        2b2493030d6e26a5af744d6044ddc7146662f3e4df5988be5a95f4d8e35b42fe682dedb5830e407f405c74478a18f743d00a44062ba668fe2bbb2a81d7d7a5c3

                                      • C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

                                        Filesize

                                        236B

                                        MD5

                                        676dbfdb3a1955d0c857a050c9e37dcf

                                        SHA1

                                        e526ba4a5d51a3c5298c5f582d3cc6d0113ab3c9

                                        SHA256

                                        721266f05a40abdee9b41faa40d9e82c3bf9a5ef20c8cdfce4cd8f44e5115678

                                        SHA512

                                        5d8fbdee01c37b4d0378ff10ddd605f0a46f847503025516a97a83954a1ab0001aa0d6baec34de0c2acd3cd46a7d309578f4b29256d17938ba78651773af3d4c

                                      • C:\Users\Admin\AppData\Local\Temp\Sucoz4qpVL.bat

                                        Filesize

                                        236B

                                        MD5

                                        0eebe394c13a03e0497ada6d776dc204

                                        SHA1

                                        0b85b2df52a3f061f7af8809b7975a9a492b8aff

                                        SHA256

                                        ef846aae959cdac33bf0108b387a7c5c0fe90974fc16d44be61127ea118285fd

                                        SHA512

                                        18bc8d850e446a084ee27f4513f082c40de236fb7672c429c10f43466df37645fc6cf390f1bcfb19b1628e77558794d078d1635eb11686423853121d8b42904f

                                      • C:\Users\Admin\AppData\Local\Temp\TarE0.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

                                        Filesize

                                        236B

                                        MD5

                                        0911f3788da80ce0e4f7b70dbe56125c

                                        SHA1

                                        08be7d8e13c8d31762fdf07c49ce3b5a085b08a9

                                        SHA256

                                        5a5d0c014946c9699dce6472faa1fde35236d2febd8a18cffe7cb6c402b55f40

                                        SHA512

                                        ed1dca4f2879d03ebd198f5bc9f244ae4d305d959d7742e035300405117bad4a11552506cc76a6190b29c9708e16fdc12438052ef17823a7320eddb395ddca91

                                      • C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

                                        Filesize

                                        236B

                                        MD5

                                        ce82d013f08bf0b54750dbb7a4b26824

                                        SHA1

                                        c1f128c21e94d53cf9c2d57b6c9b530210d1140e

                                        SHA256

                                        2d7e421aaafe83a80e6694a1caaa4a19ed0a449a0f33ea8b92bda9e29cf78a91

                                        SHA512

                                        f8a3f3029f6cae9f10e24dec9089fcd94082898b540d546baa3250a3872fa7b0ed391dc9f540aac5789dac80e8aa1cb6bf91862497a156cd2d618b9ab1800444

                                      • C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

                                        Filesize

                                        236B

                                        MD5

                                        026da9673679b67374c58c7e87af32a9

                                        SHA1

                                        47a96b5857f035e553a29295d933fb7c8cee5818

                                        SHA256

                                        85b298609b833cd8286e6fd9b0664d474ee10c2e9d4dfb50ef9ada149671e1c0

                                        SHA512

                                        5c1e11521dbf5616ef9b09cdc1e9c1d9554b1ca4b263dbc45113fa3fd2e8f5af3dd0cac70c050e7c9f9745cc4d539e7bf279af66fe0ac184139deaecf5afa786

                                      • C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

                                        Filesize

                                        236B

                                        MD5

                                        d8de8e42b974c9d53da3032e291813d5

                                        SHA1

                                        0dc75244922517f5765f3c73e045e357c21e2527

                                        SHA256

                                        760f12e98c9a7e47c2fbac85711b8e357686af1f4214897c80a5cdb3ed888c70

                                        SHA512

                                        f8955c49f21967c954860ca53f4d18c6453c10dfd8efb5205dee9892dbdd45daf598621a12bab4abdd9e6fdc02bac8e60d99e98d7257d08b1829812e06b5a95f

                                      • C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

                                        Filesize

                                        236B

                                        MD5

                                        e3faa7e6e44a741dc86ee6ea465df2cd

                                        SHA1

                                        49dac5e938e806d62f2b26d3573ca67b4484e74b

                                        SHA256

                                        d25237b9ce77a60f3014fbdc96ca13c587af6b7c16f3eb5a523244b9632d09d9

                                        SHA512

                                        acc3d184714491173425f50ccf841e0de0b2dfbe9995b58daca3301aad02f383a67bedb3d4be0c9cf3f5678a1559e3738270873826eb9244cef487938308101d

                                      • C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

                                        Filesize

                                        236B

                                        MD5

                                        b29918b895dfe1b56e7e60a189530e8f

                                        SHA1

                                        a24a8cdef62ff9e21670c800f2c1555cebb26b55

                                        SHA256

                                        d7fe4a3e70b2ba596dd5029357984cb316e850ca469728577e60f2e2cd7f1dc5

                                        SHA512

                                        cd325fdcbca55d2908690313250c24e092b2094195fd80814897b00a6ba03fe2aef208fcaa091d614290e2adb3b01f44f242ee1f2ba5ad6fa369ac04ec86dddf

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8ISJTMVINMOMH7TIBUCJ.temp

                                        Filesize

                                        7KB

                                        MD5

                                        28d61da900f1741835c9141216635899

                                        SHA1

                                        537fe8118c0fd7c27e82f2371ffeb51e5d7b8515

                                        SHA256

                                        2e2c942057c284085527b7ef26d0baecff1de2f58ae0a6633b95d0e062fe1879

                                        SHA512

                                        c27cfcd6d433d547968b6d97a17d5a452e76436a2cf14469d8814b6f860a9913f7c6b2e3bf560b20a728abb78ee9b4aa6f6f99e430f81c17be7869eb1ea71db1

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/272-409-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/272-408-0x00000000011B0000-0x00000000012C0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/308-348-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1272-108-0x0000000000370000-0x0000000000480000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1304-229-0x0000000000340000-0x0000000000352000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1304-228-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2064-529-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2208-58-0x000000001B780000-0x000000001BA62000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2208-64-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2364-469-0x0000000001220000-0x0000000001330000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2684-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2684-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2684-15-0x0000000000450000-0x000000000045C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2684-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2684-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2980-167-0x0000000000B60000-0x0000000000C70000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2980-168-0x0000000000430000-0x0000000000442000-memory.dmp

                                        Filesize

                                        72KB