Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:34

General

  • Target

    JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe

  • Size

    1.3MB

  • MD5

    635078e24668df4f43ab1768f0edde94

  • SHA1

    cd2d7a837f11d9aa9f987d65e303a023954a71d8

  • SHA256

    7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0

  • SHA512

    2a0247895bb0d9cce1cb5c15c61e5625b8ab870fad067f2e44664ffe1979b85b64c7080cf3e4e91eed191c086f193343ce84b7c641e2fc17043670a3ab039aff

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b54ea7b211a63b6324c6dea9aa084190db42712f910ed58d901b01265e496e0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:608
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:444
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JAOarNqrtp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1412
              • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2540
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1896
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1584
                    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                      "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1876
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:900
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1160
                          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2372
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
                              11⤵
                                PID:2752
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1976
                                  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2480
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
                                      13⤵
                                        PID:1148
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:1892
                                          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2732
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
                                              15⤵
                                                PID:1980
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:1932
                                                  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                                    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:640
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
                                                      17⤵
                                                        PID:988
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1956
                                                          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                                            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2920
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
                                                              19⤵
                                                                PID:2900
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:1184
                                                                  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2456
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
                                                                      21⤵
                                                                        PID:2736
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:1568
                                                                          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                            "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1728
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"
                                                                              23⤵
                                                                                PID:2176
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:2396
                                                                                  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:860
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
                                                                                      25⤵
                                                                                        PID:2704
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:2588
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1088
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2548
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3048
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1184
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2364
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2160
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2184

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2d719ce48a311b31a6a2d5025617baad

                                          SHA1

                                          f29396a3dce1a801d3cde6ec50667a4b2080ed5f

                                          SHA256

                                          d8658a972390346f251d052e50d5ed8bad7a57153b2f09f089f5b61b10a5156b

                                          SHA512

                                          1ab0c854bd6ada9aeab7185bc4dc5dd0313d65bd1d2fd9eb04013b91419be01695fcc0eee35473ae826f478293a9e246af8366fcb5ae57aa6c4bdbcc5dde7315

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          da64e69e74cbd2df5de620a183ae894d

                                          SHA1

                                          b9325f1619ec1ffe38744b32692a173be86ded51

                                          SHA256

                                          2e8d1d5e96eb864aa78b935be9f9f0f6fbab632dc9cfc295bb000508653deffa

                                          SHA512

                                          8265059d7f93990b4a19b4df6bc39f4a289e9cc707dfdc8009f77223c1533d427cc6b061aa4ed10ef4378c65409579c7b4e2265f053a9e4dd11437d4bf465a46

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4d1af3a64da084c7d97250d7fa01d3c6

                                          SHA1

                                          ce98336a153b7da257f4756c2577c55bdc534262

                                          SHA256

                                          a5f4e523bbe2d349aa25701f99f9a1555ae9a28518b2edceca7c85b5912b8599

                                          SHA512

                                          ff4001a95878b0fa49b8ca5a696ca0a8b21146ab8cdd498ac8860dc9f9b724d41404cdf7d73c7dcfe487309d9e64530275e1322500b3788f03ae67ab30ee0504

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0376b3afc107c376239ff87c87be5743

                                          SHA1

                                          b9019150e6ebc5098eb398f83cfab3830e7e9b7a

                                          SHA256

                                          8e5db0f2321e6f6ea1085dcbe33cfd749c5085739514176aeb9eea066ff38b6c

                                          SHA512

                                          208d030f11b3631d0c23ccf1f53b7b9f38f145a6c50a1c24db12ef927e5ab1cfb6f680edb245048f5761d95b9ddf83ffc4b27e3b8d4d755ca131200c92fd312e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          26ebf4cafb36ff79ecd21f1dd58c76e3

                                          SHA1

                                          0cc4348419e6921546f8ea7be76a44f3f916ced7

                                          SHA256

                                          645ef817e282b752a1bda849ccab13e775d2b23d60aa39b4483c94e073d7ed96

                                          SHA512

                                          39970f685c82a202680036058281009f6af542d6fe8f3895e616c5532ff592640e6c42edb7e7488fb4bf43a734b50d977583e6576bfb55a2cdfe5b08b85eaec8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          3b1196ab2a1377a530b2c72384085d70

                                          SHA1

                                          777ea260c370a76cd8d44ebb4ae659fa353ca318

                                          SHA256

                                          2d30f4ae04b279f0548e101b956dddf2822b3654fe8d4d8efd3212d040c985d3

                                          SHA512

                                          deea0da97955f605d7bbba49cd18c674bef57f76a9435d9c8f68036c301bfa59f9b9cb9b49b1c669d8a26042d90ab6267c289da1445a6a38c96afbec873a1eb4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9bbc90acebe5df180ac3e81485bb2b18

                                          SHA1

                                          585f24542e6c57b15296823113e53644b4a9aee0

                                          SHA256

                                          53ce59eb5c49928997284a72102db6738d2b75b738a28c799937670c9f3a6763

                                          SHA512

                                          0a20ab0586956c00ddaac8a538140f27c0ec7b2593e07a3fc78034f9e9bb1c1fe720fdba31deb5d5fa053c0a26d59837b10db9f0ddf9bd444c2eecf5fc1420b2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          21f14b771d2aeefcf0bd8e25d681ad7c

                                          SHA1

                                          a95d37d737802c690df0f13e6bb0db45965f3fcf

                                          SHA256

                                          c26300cf6d377c67ae58f0aea09a7e821d672769b2141610879e855f8a201fdb

                                          SHA512

                                          42c8f9706a0cee10b6b1a0767ab593ca5fc60a8bd5f41ebcddf56260fe0deefc3790bb88399fa48fdd7728ad6f80ca336dd26f512f9d4987ac65e6b94144510a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a7a18da7716cbcba0150adbc979b753d

                                          SHA1

                                          681b206749402224a99eeee3d5eb4b855496630b

                                          SHA256

                                          edfb0f5fea8890b5f341ec3e1455ef62c67c5d6d0ef3401b38b0b71dcef2c222

                                          SHA512

                                          bd0b57787c141a45149ab7b69864bfa65afdef67793e7ddf97e28683bc2469fb7709b609f382c4480b9e413676ef5b543399f651da2e67e281ad83f5349caceb

                                        • C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

                                          Filesize

                                          236B

                                          MD5

                                          ff2f2ed339082fb17ee0d0b81cf114ea

                                          SHA1

                                          7362729eb65f7580b5db2f00e640de25834881f7

                                          SHA256

                                          5b0f6344fd438f5205c820a941098be4cc84fb1e2026f734fc83ac700be18b0b

                                          SHA512

                                          ad62de7a9cffbf6bbc7c1ec2bd9d7f7e28edbd57e1f9c41262c5c119a6d6763535142fe347b4a347dfc4862c7e2106bdef87cc6cc61c1a0c12b8c1f168d7afdf

                                        • C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

                                          Filesize

                                          236B

                                          MD5

                                          47a4247f3aeb4ab15f0ad233e10e7653

                                          SHA1

                                          38fce9265e5c4c873db45e7ac14686ee97e7fd02

                                          SHA256

                                          612efad6543412ec096975a7f4c032c0719a3298cd8e6d1032b13a6797c3d8a6

                                          SHA512

                                          896e3627549f0e2c2b0add9f16ed34102829fac16f98ce249174df876cffb9a1d95992d7ccf2d47c748dcb01b270bc40f7eb6a22c61a6ddf0b0e7eafdc2324a3

                                        • C:\Users\Admin\AppData\Local\Temp\Cab7C15.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat

                                          Filesize

                                          236B

                                          MD5

                                          6a0460aa857974a6351c0c92d3410234

                                          SHA1

                                          b9b60e00f2c08e31f22360439f0e7405fea8a17d

                                          SHA256

                                          cbe23fc14aeb2a8bd7b95b55ff3ba5ffea3dc417d2dec9d381e39cf3a809216d

                                          SHA512

                                          252c3ea763a81050822e37de08fca0ac3bd55d6d8127d3bec1625a0cb47471a0c5dc3365cf8c2a258064591c52f59049c49996db429089bbe83353507bee0d36

                                        • C:\Users\Admin\AppData\Local\Temp\JAOarNqrtp.bat

                                          Filesize

                                          236B

                                          MD5

                                          0b024639381cb6b46bef7dce8f3b8903

                                          SHA1

                                          439d32acb24bff7ab95f40a2482c588aedbe7679

                                          SHA256

                                          c79b3d62ceda966f39219d5c50af98c62b56253ffc98678df9e2495e49f248fe

                                          SHA512

                                          b9dee649a69189ce2938a8fceb0ce26e3661c00e185a3d6db690f8fdf1ce2b4c9efdcfbb12a622f541066301c0b9219cd22543e3177334c489b4f6f626d7b005

                                        • C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

                                          Filesize

                                          236B

                                          MD5

                                          dceb1edcd9ba173d27474d35dee7681e

                                          SHA1

                                          e5945d5602087b3d26ad07b5b3793762e790865a

                                          SHA256

                                          25f7a12add35ff87d8d537888eea62380eb4e8268ee8b07d7e6f0c6cab9bc9cb

                                          SHA512

                                          694e55e9af538b2b8b0c5933cc9055dbb240914da871f021cb435371e04fd134a35bfb6ddf95e6746480f9deeb8e8fb3b81e34adc4d300fff03eaaccaa69d988

                                        • C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

                                          Filesize

                                          236B

                                          MD5

                                          a5367e0b6dc4db34d0ac95c5ef9d4189

                                          SHA1

                                          bf3cf674a9f8c11733fb7445f172f6b9f6470f49

                                          SHA256

                                          978ccfce8a61ecf4d5f473bcec3cbc81698af1337ee9c1231de1ff88d8f8f00b

                                          SHA512

                                          65ffef62aad5224ebf76b671c29170e761222b1afa48b6eebe3c38f50b00f034cdd30876ba473e8633a5e1d74dc96baf02ad4305f9daf6c0bd6fb497b969ece9

                                        • C:\Users\Admin\AppData\Local\Temp\Tar7C46.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

                                          Filesize

                                          236B

                                          MD5

                                          24ffda64e74ecee1d5f0c3988ec889be

                                          SHA1

                                          a3992a244799af334a1ce8cbbdc0630b9e5625bf

                                          SHA256

                                          f0ca853eadc64a206c9800673266a80cf72cfb4f3307aa4e1b850aff1ff0601c

                                          SHA512

                                          b3d3bc2c5215f66dda64c60791ab352d6da4cd9f8c4e2e268c94a9aec4dc7525ec3440bd1ca1f1bb23644388dc455b62fa1637b3fc85db2faed2496e583a85c4

                                        • C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

                                          Filesize

                                          236B

                                          MD5

                                          f00fb6662fc73fd1e384032c4a51a0b3

                                          SHA1

                                          abb6c861f784e478f69ad6b3943e1e92041e274a

                                          SHA256

                                          88b8d353ac3ae026955357735a744a4a84930c4ade2bc4495fe2e298f5b28306

                                          SHA512

                                          0fda490733efae8018662d93c5383edc8515be72bef77f894861203d39c9ac83eaa7f956272d880966b470bb8c973e1d1c416f01e0025f9af809b1e3bb713249

                                        • C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

                                          Filesize

                                          236B

                                          MD5

                                          bd0f47eb744102cada506b478e1f7a39

                                          SHA1

                                          f97ac201f2304b01d9cf640e47045034992d10d9

                                          SHA256

                                          444d3d6f875fd160f69d6135b56f33b27be765bc5a2d3587523009556cae8d04

                                          SHA512

                                          f795b3aafaf807620feafe532e9c020f335a6d823f10efc4710db2d92d39a9ea49d4116b8d44684b73bcc1f193da8790cf6690902f5467473e8db6e0339e72c1

                                        • C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

                                          Filesize

                                          236B

                                          MD5

                                          5f6ff59c2aa6c97d94b67f142eb42de7

                                          SHA1

                                          004dac1846043d8cdc9bd700fb3dc9bde1d990d8

                                          SHA256

                                          c8dcaeb439aead0a6507d53cc200d4832b4c4ea03194c69df2f8e3cc06644d4c

                                          SHA512

                                          eee3154b0f0b6b14d4b3bd808fb2cfb09da6c82439a36b84ae172ba4b8d37d7caeb99e77c74dfec6262f061ab89926df1663b6f25ae7139474d2797262faaf24

                                        • C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

                                          Filesize

                                          236B

                                          MD5

                                          df41433e0dfc8488ad78629108960d21

                                          SHA1

                                          ee6a81bb3a167920896508fc0335ed078470912d

                                          SHA256

                                          1542c9ea13f9899d4fdc518eb052d04e6338932d5cb8b304793d254076fd87dc

                                          SHA512

                                          e551c2ae919aeef4660e19572c6e041a49e7942d2c5ad947dc92f1d23bc05c7985c9eca871580241bf4f6e7daa84ff4288e52eca409004a3e753988a311dde9a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XFFOAXOWFG32I321J1IJ.temp

                                          Filesize

                                          7KB

                                          MD5

                                          4f4f0a939664dc4c09507d85a4af9a0e

                                          SHA1

                                          2f64f6d7f82515d9c8431a0904c5972a34a848d9

                                          SHA256

                                          66a7b03cdd77ed106ec2220b28fbde816b5c5b4c443809028217b6f7943bd2ae

                                          SHA512

                                          819e7ba7cdc05b3649ea8c24bcf27a6a0d17067a8de494d1f0eda62b2a96e0a666d8c249c6e13c4523bec40d40bd53efb8c84087373245fa158228029678bbb8

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/640-382-0x0000000000440000-0x0000000000452000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2420-65-0x0000000001E40000-0x0000000001E48000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2424-66-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2456-502-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2540-85-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2540-84-0x0000000000E60000-0x0000000000F70000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2680-17-0x0000000000510000-0x000000000051C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2680-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2680-15-0x0000000000500000-0x000000000050C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2680-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2680-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2732-322-0x0000000000430000-0x0000000000442000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2732-321-0x00000000010D0000-0x00000000011E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2920-442-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                          Filesize

                                          72KB