Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:52

General

  • Target

    JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe

  • Size

    1.3MB

  • MD5

    7d7ef23a8491ae7204bfc24de5794577

  • SHA1

    254ba6066a2d51f707a9b16b57fbe70b144e6687

  • SHA256

    3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f

  • SHA512

    cfc44ee4128e8206f127e5770360c51863a25f0a456b31e72fafcb8f5a1a7e30651d30b1c42c46a78669c9553bfab73ead58d50ebd5034c8cd3ef713806c51fb

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c8f846d26452cc241065278b2f18f16d389a506fcb7d1052d568f746ccfce4f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9CnSK6J6cV.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2660
              • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:672
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2244
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1684
                    • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                      "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1356
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
                        9⤵
                          PID:1340
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2628
                            • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                              "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2584
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
                                11⤵
                                  PID:2760
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1440
                                    • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                      "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2940
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
                                        13⤵
                                          PID:544
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1088
                                            • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                              "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2896
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
                                                15⤵
                                                  PID:816
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1192
                                                    • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                                      "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2424
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
                                                        17⤵
                                                          PID:2524
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1776
                                                            • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                                              "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1440
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
                                                                19⤵
                                                                  PID:1044
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2960
                                                                    • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                                                      "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1800
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
                                                                        21⤵
                                                                          PID:1944
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2676
                                                                            • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                                                              "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2432
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                                                                                23⤵
                                                                                  PID:1616
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2520
                                                                                    • C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
                                                                                      "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2160
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2872
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2672
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2636
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2668
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3060
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2504
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1160
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:376
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:544
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1848
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2452
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1636
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1688
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1852
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2604
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1508
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2200
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2220
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3048
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2988
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:696

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        2127f5f339f3faf9308c355f242594da

                                        SHA1

                                        b10a64e1df19dc908e0c3b8236ed295442186ac8

                                        SHA256

                                        af48097c21566e4d41fa240b04993754c997e4cae4da1bb47f7818a4a43cd3c6

                                        SHA512

                                        dd394d05db145059b59295a9debacc0add57be6e3f607436f6e771db93f5444ee7f2585c8bfd9f89b2fabf660eaf4f62b32e149744f846b0ee21c08388aab1b4

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        6e2ba22ab3da0a9e65e60ca56542f82c

                                        SHA1

                                        6ed124870ebd79935394a37e1768bcdc5332fb64

                                        SHA256

                                        4df2440633a513f7228911e6f8899c953ac76907534a16e64103d353599fe39d

                                        SHA512

                                        32315ff381c2692dd87eb6a1a276fba277e249c2934a465f4f0b40f3a30d158f033d4d5d996624d277d0a1d345d90d40b1a06e55532b8e14caa996801c06d4c9

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5fa16f0dc6fc6595bf3f0751acfc171f

                                        SHA1

                                        0dcdfab3f4d518adfc65b57e6085b0b94872d934

                                        SHA256

                                        8a55b3487ff13525428fa0d4b6e41a03735cdbae0a8d5eda4798c83dce839c02

                                        SHA512

                                        6d8429a211a455b8d3a2f2a968398a05e7a16d7b10068679adcedc4c41b77c1b40c0cf00ebe18a202ed3febef845c3d77cdc0789361193ff0a7eb3814fa0af03

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        0d0b81a69c8f07abbfeaedd68fa9c87e

                                        SHA1

                                        c8acb234b73bbd1a6d0012bd9100a83b9cea1912

                                        SHA256

                                        788aa57c7942cc0f2811effa2dca2eada16a3bd68a456961dddaf15a403703d2

                                        SHA512

                                        64d91c51294ef46ad1de7f3f24dfafc98b31955b839e446a06bc846e844e274f63cfd1a9092bd871b8016320888b0a0c0e78811b4bf456091d1c6f2d881b4fba

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        45bd2f06e6ee241b96345b9d8eb08b2a

                                        SHA1

                                        2c0be8dd5233989b0f569c5b2645751839784f94

                                        SHA256

                                        36e1127b3d5702a9b4f604b1a08bd9dcd05ef6e252988555ba4534618ad8b733

                                        SHA512

                                        27ba6ac4fc5e40b712646094504717c8371667cd7c1cbb67877091fc1481fef97c23debd3204c0e9bdbd20a59787c338ae24e1999115f455780cdd3baa7f26d7

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c16af38a0755d3a5e9de5250b886a002

                                        SHA1

                                        d02870a092ac77aa2260e672296238bca72e9cd7

                                        SHA256

                                        ab79e2550d783a7f29f69c92733db8e7b66715411a17a728be97dd5a08673624

                                        SHA512

                                        8d1d2bec5dd7d561fdf24e7e3a29f6699240153cabfda65ebe57f731898824e5c1f5c293eae82b1d315bdc6f3fdc5331f51fd011126f4b7e250b0e87143c1e79

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5980815781bc92d7999e4dac063ea594

                                        SHA1

                                        ec84896cb6dfccd8e6a43a942bd7b1f21fd4b70b

                                        SHA256

                                        7e1460b3751d9bea286b5372656826399589756895ee296569730b7f9493ae44

                                        SHA512

                                        77ad0c4b6a138f12c69a67ec50ba9159eec0d4fd8dc3e51834b63802a2998ff8f0237c13c73e77f8fca3159a573172259e0501d29aa1e161f5aa895d3cdd84c3

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        bce57b2039bd722e9bec70325ef18691

                                        SHA1

                                        2fe515d52970f03002304524b1ecadb7a9278db7

                                        SHA256

                                        ed56b4132df19d9e49598b73b3b9590025046c453911295b20ea1867d2b359e8

                                        SHA512

                                        7cfa806690a10117b7be8bc08bb80bc3896a4983540366a58d99872d66e6eaaa2baff006d30ddc1d81ea9d15f7025761825a26078ca5df996ae18af9c256d70e

                                      • C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

                                        Filesize

                                        230B

                                        MD5

                                        80296f8e10317b949f6d88f577cc7459

                                        SHA1

                                        3106bfbe28962f03824f2e0cac9b49dd49d5712c

                                        SHA256

                                        b223d13b219f7931a29c6d35d4997268f7077db90cb8c91626a7d2e1f02d4b7d

                                        SHA512

                                        0daed0f2aa72a92d6dd3655c2e79d2982f88c87c69393ac3bf2cf850bee51dc4b3a27f63a29d7e167534263dc086e865c7a0a3b1250fc1c1d06957fbbc906469

                                      • C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

                                        Filesize

                                        230B

                                        MD5

                                        6a968c7840224ed74d9ca8562c45f550

                                        SHA1

                                        a3e74c47ac20b1c2bad7b1a80197590528e1ce77

                                        SHA256

                                        5b9ca68042df6b85c5bba2043e365fa9e1e2c5beef2f283bc843f8daee8c3ec1

                                        SHA512

                                        41608b16813d3b9fe94de7ccb00f6d2b8e6d23444e641e870ab7c7e93ba04d2c4f4efc6f40558289088ee4ac603123fee3d3642ff0239f105bd8564a64a6bf4f

                                      • C:\Users\Admin\AppData\Local\Temp\9CnSK6J6cV.bat

                                        Filesize

                                        230B

                                        MD5

                                        1a94336dad429b7fd32e0c2c8b725a21

                                        SHA1

                                        8867e09d1758e9012604fa5448ac9cd33c37316c

                                        SHA256

                                        2c652b850a377b7325761be2ab32ba8d814dd55d83d40254cad7cac4eab90487

                                        SHA512

                                        ad221222917207554f65ad63df357b43263ce139fb78e123c3d986bf83e4be9c04b7e1bfc9d4118101517aca594e0ddfe750d1c620b5306f4ee589eb23066994

                                      • C:\Users\Admin\AppData\Local\Temp\Cab199B.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

                                        Filesize

                                        230B

                                        MD5

                                        73a9df8b59bc94cf881645214de96dfc

                                        SHA1

                                        201798a84839f28e3fcb167af49c84a89cebb29f

                                        SHA256

                                        09e88bc430ed782d19e9af7257140822cb4da203797a95d32e69d9ab00ef2b51

                                        SHA512

                                        66a2b3b00307468d2d62b0d8029386a92c146f19a6623bd7f5dbd0a1977f53daeae40597ea84363746812e46f9cf7c8ec77e5f512b18a74fc011305ca51b4f21

                                      • C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

                                        Filesize

                                        230B

                                        MD5

                                        13e6d5610bf5688c8fb4528c93ad7ccc

                                        SHA1

                                        e016a5fcbf7e3028edc71e8976e217198604eed4

                                        SHA256

                                        6ad7dac43a613d4d5d3a1cbe0925d0fae0242bd4fece1e1a9aec977e083fd4fd

                                        SHA512

                                        2f5bde5c4e7e321bbcccea8de0d1505f1f1181f81b0c5fdd2cf11ac96c1d8a34dc8168acbc50592c91d5ac60b5f15c6a771d7d224fa12f7b1551c5f259be93dd

                                      • C:\Users\Admin\AppData\Local\Temp\Tar19BD.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

                                        Filesize

                                        230B

                                        MD5

                                        ac277e5c497c19abe30ca892b3a361ef

                                        SHA1

                                        eeee4eb43a35621d10a2eaeb1e7164c712b9ceaa

                                        SHA256

                                        65652f3a932cae001267801a63a405a418e546b8cf57c4c578ba51858988c651

                                        SHA512

                                        3504941022df3792246d2e5edb08ffa5756950a4d59a915eea168b21ecd98661dd0d50d309bd7376c656660ad0c475ab62e0b42300c978e67072df285a853f68

                                      • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                        Filesize

                                        230B

                                        MD5

                                        dea6889625614eb6e26014303e458248

                                        SHA1

                                        f834d3d254b87450713a80a765091cd30a810a27

                                        SHA256

                                        e70e61ccae1a9d127574a5e9b82d07e0ff86144183df6be3ed39cfb546bf75e6

                                        SHA512

                                        fd14843b99c6385a73d6008529db618c10cdc2ac803a7bea4619ef0010478960f5ab3b42c44b43697ef5fb03ab4912b592c355ea0c4a6e05b428e22c6134ab47

                                      • C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

                                        Filesize

                                        230B

                                        MD5

                                        2bb004c2499840dd2a950eba09a75154

                                        SHA1

                                        bab5a66e2cee5e47e461b38ab722f28fabbbd008

                                        SHA256

                                        20ce2d667fd0ea4db0e1db154e33f9b0fd36b3aae4205431fd0bd1756fa3659b

                                        SHA512

                                        3b7d9fe5c007aabc584a5f04a92b413a71d23ca6d18686edc528383b62a11f2b8c7da35da87ac95ffdf63238fd4bc01e5a5b2e6a50292dd74ebbc97fae869faf

                                      • C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

                                        Filesize

                                        230B

                                        MD5

                                        2d653c20db5034f137def87b3b90b90e

                                        SHA1

                                        124b3af86de1ce2ca91670814dec5c44cba35084

                                        SHA256

                                        2fe4c35c14e48c8dc44848e9b9a0a59fd09244221458c04390d2d73a08252e00

                                        SHA512

                                        a9d2f015885ec57385056ea546a06ed9c4a980d17c278ed574b7047103309a1d93cc6039607ccd55c2774b7b1001e8d5d65d40016d45eabaeafc3d4f0c61f5f7

                                      • C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

                                        Filesize

                                        230B

                                        MD5

                                        2363042cb0932b43ada2ce4ef1aa3818

                                        SHA1

                                        37323260fb37ddedc13b6c494812626afcdf7744

                                        SHA256

                                        203347a3df5801d3e6bd4c68f9f0208fa0c896718cdb3711ac49c050c9cd1e56

                                        SHA512

                                        f65176e334637f30abfefa237240c6c6eb61f0d4cc4ac57feaa1dfc04c250631299a2f491470bae066a97ef0bdb013e0d5329863a3653ca648f478a47fa0a062

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        9638b3708770919dd42ac080d1a27646

                                        SHA1

                                        419d80d84c57ec50fb50ae673af8dba4f8da24ab

                                        SHA256

                                        437b9c06fceed461eaa7876437a3d8f315fa8ae06e9dffa6f0f254b48946de1a

                                        SHA512

                                        ae07dad8e1324704be29c22901f37f5d7c5a3616b8a32eaa649aac637191da1ebc17dd3b238637aa95cd5f0d65e37e2bf57b29cc634389e9eee4e0eac27561be

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/672-102-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/672-101-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1316-98-0x0000000002340000-0x0000000002348000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/1356-161-0x0000000000D80000-0x0000000000E90000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1440-460-0x0000000001190000-0x00000000012A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1440-461-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1864-87-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2432-580-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2584-221-0x0000000000150000-0x0000000000260000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2760-15-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2760-14-0x0000000000260000-0x0000000000272000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2760-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2760-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2760-17-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2896-341-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2940-281-0x0000000000860000-0x0000000000970000-memory.dmp

                                        Filesize

                                        1.1MB