Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:39

General

  • Target

    JaffaCakes118_6e3669a8b99618a8c690bc516f8694fd8e384d65bb9093540e38e76268830528.exe

  • Size

    1.3MB

  • MD5

    7bef1c792bd992a92335790de3c7174f

  • SHA1

    d933d294739059082693c4895d80b0c2908500b5

  • SHA256

    6e3669a8b99618a8c690bc516f8694fd8e384d65bb9093540e38e76268830528

  • SHA512

    f41438b8dbac80f293e6034ed22b31cff7e43544e5e2d42804d9a0aa923c35796339be9ec20ea2dbf63444bd44212cb25ad302e21031bfd718e240d9dd846b0f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e3669a8b99618a8c690bc516f8694fd8e384d65bb9093540e38e76268830528.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e3669a8b99618a8c690bc516f8694fd8e384d65bb9093540e38e76268830528.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2280
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ASP.NET_4.0.30319\0008\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
            "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3020
                • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                  "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1680
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1440
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:680
                      • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2556
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:588
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:400
                            • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                              "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1780
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"
                                12⤵
                                  PID:3052
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:2168
                                    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                      "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2992
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
                                        14⤵
                                          PID:2316
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:1868
                                            • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                              "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1344
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
                                                16⤵
                                                  PID:944
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:912
                                                    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                      "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2360
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
                                                        18⤵
                                                          PID:2312
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2484
                                                            • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                              "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2144
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
                                                                20⤵
                                                                  PID:1956
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:1844
                                                                    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                                      "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2992
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
                                                                        22⤵
                                                                          PID:1000
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2116
                                                                            • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                                              "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:580
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
                                                                                24⤵
                                                                                  PID:2728
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:1908
                                                                                    • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                                                      "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1948
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
                                                                                        26⤵
                                                                                          PID:864
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:2844
                                                                                            • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe
                                                                                              "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe"
                                                                                              27⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1392
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2756
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0008\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0008\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0008\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1388
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3000
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:548
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2260

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          789218b535fd2ae622677fc8327dfed9

                                          SHA1

                                          76d612f3aa735bc12fef25df1ed563006ac98846

                                          SHA256

                                          1bd1940d15ef781c70d777194f330675adafcaac3e308a07aa1f76cfef0abbc8

                                          SHA512

                                          cdb0c787b3a5e8d129d21b411edc6832f6bb9d0fa765cc541cc9ca34429c12a45b294ea27d7586de40898d0a0f98e85499f80abee99b4449f6dee03227698134

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5bd094eb4d270af8a95020e2727b51c9

                                          SHA1

                                          1a71de9dbaf340b1774910fdec59063f972f7750

                                          SHA256

                                          25ed7195f2f0ace025497c15e6a835ebad0902c2dcbba74b9b751ddbd5528b23

                                          SHA512

                                          2b390542b7334df722d77f26ea7845f89c71aba37a5d03a50c81cced7a6142635757cfad61cce0ec5fd6f5a3c9475aff8f883435c091680a392d090d95a8db30

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          762a8f83b4d13c370b78f2160b1011ce

                                          SHA1

                                          ee876806d167d0cf7c70d9cfc81780066c8c71b1

                                          SHA256

                                          2f4e645ff262679d2f9afd53abfd2e5be1e58b30a4c3b6c468a7601b07f18831

                                          SHA512

                                          c8f425027399b8dff3558306b05e68cacd57b50362b77501b0ba6dbf91a5033e8607517a5ee7859631b20900c7ae064a58b45f0e5073bc61efe8adc40dd4d2eb

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9694150537eb5cf7a044b873afe119c4

                                          SHA1

                                          13217caba6a8400f33dc13c75471a860e208b02f

                                          SHA256

                                          a37185332e071599d4a572274dcd82e9c617110224c1ff8549ce6d731d994dff

                                          SHA512

                                          b6ca1037bd0b9ea793a6a2523cb5404e25fd251a525a6549429491f1a9912bc3b418828a105f22bd65465d83e932930133f8fd32da6a2318bbc5a23d50211186

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          595f763a396deba0df8c095651bcf032

                                          SHA1

                                          21350ccb09c9c3cbc6de1240539553eb7a3e3979

                                          SHA256

                                          3aa624a17e5248fc0e3eb3a3be4729bc2d1a608d0b0823dc382bf23ea4ca8a69

                                          SHA512

                                          0367f0e4da42f7a6cd9317b3e19f7a7add3506583148b3e13f13dded8d095f3984d8cee7523c2f7fd8129ee170e12848311785542748e5408da9252f13bd1455

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a72c02a3763eae8b4f24a6e4b0c87d4e

                                          SHA1

                                          f4e5e2d100334743572fb5b8732060102593e2ab

                                          SHA256

                                          df7ce5f34f6d63461e194f7b872efe41bafcd51e32075e50ff5f1f96f6800cc9

                                          SHA512

                                          12f75f2cfa7efaf1539d3351cb3e69a76364438ba8f18eeda20cc254c5f5355e9a26d69d8a66757b1120dc7c66914596172763572f17f046271fc7af355c4a01

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8085d22c21fc7f3ed92083f3264914ed

                                          SHA1

                                          8b8519a9304d38b13c22f8224645ffb67c83f542

                                          SHA256

                                          6a6bc4149d209bb9f01f065179efdc8b351c7b36140ed8b963149deec0178ae7

                                          SHA512

                                          424f4413c9358f8730876760a86aa01970557c861149a8e7cfb6c0caf458279f03432849a348ec193a0229b4bcdab64708f3d82431cf09293af3be8cde3e9294

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          009072286254028eb04f2c2d46a1d3ec

                                          SHA1

                                          dbde8545e91661b8e95753ea56f783ebdac127e6

                                          SHA256

                                          c016b3e183da7a40f0a7f0dd0bbbbfbd45ecbc5b1fc8bab15729f6b7db733189

                                          SHA512

                                          f2845d8dcbfb422239ecc2680b246865c3c7f8e4ff214598757b7b5f7bdd91631490c4920841996f47456a0b37b2d91b3441ce7720c3ff278d408be5de8689b0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ec40af0be8953a41343d08af138d8af9

                                          SHA1

                                          c7b7efca998d5aa1f94489465d7a35a573d47f91

                                          SHA256

                                          8d11772df86314c43e13e72581bf2ff569f5ba37dab84ebe4c91cff09917c637

                                          SHA512

                                          3df6809079279cc23b6f182b41f3847863f333339f731d7e56cd016e46f5cf685660d83dfc606635950372566c2cbe2e7830bfff3633266ca4ece13a1f1b2d66

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          3b469870c7f1d21369b300e71f6c55d7

                                          SHA1

                                          475d76dfd4a51b3a028474e3253ad22339c209ad

                                          SHA256

                                          fee940a1fe3a69e75db388dcf84fc89dbfa1de9957a0541319d7b7c3a8528dd2

                                          SHA512

                                          5778ce041afa57dc6f05a82a3c3229f55e3a913e43e3f16bc9ba1628908a28242dfbf557fcf23cea01136f075f6cd020171a1f67730c3393023327d0f20a160d

                                        • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                          Filesize

                                          225B

                                          MD5

                                          a552e0bede3c91289c4737ebd41eef53

                                          SHA1

                                          a90b1b75afcd352ae4bd5510bb6a87e2980c952a

                                          SHA256

                                          cafaeec79abf35f6b0e7c06adacbc610bf9727fd23cda3851823708a264d46ee

                                          SHA512

                                          ae6397ff80b71cacc28ef580186e823a221b93563c7ab699d40cf5307e0430ade4ddbabe7c64bf08ecef8d1c0b01f80f6fd4831fed77023929f53b624f73d81c

                                        • C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

                                          Filesize

                                          225B

                                          MD5

                                          53974b460f389db2932709be3c9b5b67

                                          SHA1

                                          48691de8ed12b6d50fa1e7d71baf34793b45d1d9

                                          SHA256

                                          22837aa16a66980354299fe535e8111c36f5a15eb9194faef966d6f8408f86bc

                                          SHA512

                                          65228ef748cf0c6d419936e8a8b2aca19c88a619f43bb8b8f38b162a9fd22d3f52fa3eecc38958dc25858cb9423dc0b7060a5616913e69b7578e4cbfef0a2c87

                                        • C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

                                          Filesize

                                          225B

                                          MD5

                                          430ad6f01b678532147310a60ea5fcd5

                                          SHA1

                                          ca2a4c4a304648d4a6bc4555e46a8ecb3cd68a38

                                          SHA256

                                          ebdf89b47b7fc0d2c51f942105ed2458525eb1dc73fdade84b490e888a1b459a

                                          SHA512

                                          ca4f54d4f51664372254185fb3f0f0e37c4574415d9a153f2aed9b95891591e87c9d1e063d6475feb469a586ae417fceacba672c97f295c278f4d8611c3e6f93

                                        • C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

                                          Filesize

                                          225B

                                          MD5

                                          8799e57755c8475f5d954eed2aea3d1e

                                          SHA1

                                          2f83e8fb8f2efbc36d8b34c30754ddbfbfa44f60

                                          SHA256

                                          02672cb56de189fc51ba3d09e656b0edfe7426ae74062045054b1d0c6b0d9db7

                                          SHA512

                                          fcc82b0f4e9832b70f45e2060a036754f248084f24eeee2be6bccf301dea7ab126e3f785624739c9ea6cfe4fd3fe0fb6df417438f2be111f15409100bdb42588

                                        • C:\Users\Admin\AppData\Local\Temp\Cab8BA.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat

                                          Filesize

                                          225B

                                          MD5

                                          77f3bc340656d795d658ba474ad62031

                                          SHA1

                                          900754bcfbec6ea03b285eaa58341c5443e84889

                                          SHA256

                                          7934eb2850ab5d3b49ff5a3cafe8f68f1e67857ba283fce0242f35f9742f3712

                                          SHA512

                                          f328b88fc50a8ab9af2830c188a0d84e0822a0219298428c4114544e732258d303dc1e9c79010be776e2a3e6e98ffc6a6946c308f92b12ffc96329f0d1764dd7

                                        • C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

                                          Filesize

                                          225B

                                          MD5

                                          d46572c6b91460460bc8ad4299c85ef2

                                          SHA1

                                          056f02c1f4c38580a3b232e30963b57c3fa8f0d4

                                          SHA256

                                          f22d55b08418ac5016cb2bda567479b122184c6ec7a66a54d9086e34609b579a

                                          SHA512

                                          0a4d62873c112f8cbe33fdf22de49827b9700a9c805912fd9595361223e99e73f6c4f4619f27c348b29ee42fae584c04cd5a4750a3d159ea9b95530dc07e6669

                                        • C:\Users\Admin\AppData\Local\Temp\Tar8DC.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

                                          Filesize

                                          225B

                                          MD5

                                          e2fa81b6642cd4d3e8b2f3f870c37398

                                          SHA1

                                          1238730911156eb93ae9634f844e96a69c4d1b72

                                          SHA256

                                          90c70ee59f1a984a670bbdde55a7fbce5f98baa087a73528588a3649cc6df5ef

                                          SHA512

                                          8aea4be1315110fee42d6b781bbda2e460d44b8da9d7765c5e27ab9b6ff1b86808282c0cb6006207a0c7fcc8937ede7436d87b1ba180150a5b828d29646a839a

                                        • C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

                                          Filesize

                                          225B

                                          MD5

                                          b88baaac09edb707148afad64b5690c6

                                          SHA1

                                          9a158c087ff9b4fd85e77a8fb32090554186a879

                                          SHA256

                                          41d976e47f0718c95169d33d73fe3699a0b8f23800188dbc443835baa1177663

                                          SHA512

                                          96b5f6834db39bec43cf776fd9138e39ce83e9966de76864943383cd7af3fdeeff9cb83987cd5a56d747155b18b8da001a53e6c7fec2940b2b9ae13ce6c76e20

                                        • C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

                                          Filesize

                                          225B

                                          MD5

                                          c05b3a55d93cfb149f6ca655ad30c058

                                          SHA1

                                          4cc7d9a52640b011b5af474490ae3760af04cccb

                                          SHA256

                                          066b8aff59740f8040d86c7b7abbf0faf7f63bade5004cc4dfa4a9506a518618

                                          SHA512

                                          4581424f02191416b5428a1a43d86288463cd6b7a9325ea472810a9dab232d63610a8f71fd131b95a603d14e37c615f92e861b3da256dacd8e729b549f3c53b2

                                        • C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

                                          Filesize

                                          225B

                                          MD5

                                          c193bcac479e94a28188514e9762492d

                                          SHA1

                                          acfe6dd699bb27f4e8a5d1dce72ddddf33a61fb1

                                          SHA256

                                          7376d90625dae1526b31a19eda5760e5221415614e9afac2127626ca283ab1c5

                                          SHA512

                                          d043cab5196f1395f9896919f1fd0fe2ce326678355b055ae9ba00f7e129083a8f4b71718a179a346cc42d6c1fd5365b7fd2b49d83547a884a34b0cedbae68e6

                                        • C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

                                          Filesize

                                          225B

                                          MD5

                                          62d50b90493102ec6f9f240300d6ab2b

                                          SHA1

                                          9a1e767326f2650b302497fbaa47e7b670879d64

                                          SHA256

                                          5e5a7979c84941d69ac3f1557d6050f026e233fff939fdd88973fed143d897bb

                                          SHA512

                                          d85562f23a81a7bc1bb9aee64696e1d26e045fb99497cf91f0b653c17a69c4d2b81b7740d7a535732f27ecd7bbe15464815d4f0ac8db9bfb1e6254886b01128d

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          84f3718fc49c09ecb72c24288cd1f3bc

                                          SHA1

                                          bc8b56bbb83509e9764e165eef42cd0688577658

                                          SHA256

                                          7028f40344a72ed4967b60613f9f37a31d2e517da4e7b6c0236c3ed64772d9a6

                                          SHA512

                                          5d4a208a38c8e54e2825c1ef1807080b910183fa22a32e119c71025715e7ea883f44ff336733939599cc0d9be000745811d279de709890bbba6ee1298c0b38da

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/556-737-0x0000000001320000-0x0000000001430000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1344-378-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1680-138-0x00000000001F0000-0x0000000000300000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2144-498-0x0000000000390000-0x00000000004A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2144-499-0x0000000000300000-0x0000000000312000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2280-44-0x000000001B770000-0x000000001BA52000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2280-45-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2360-438-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2556-199-0x0000000000450000-0x0000000000462000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2556-198-0x0000000000E40000-0x0000000000F50000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2616-38-0x00000000012F0000-0x0000000001400000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2788-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2788-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2788-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2788-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2788-13-0x00000000009F0000-0x0000000000B00000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2992-559-0x0000000000FA0000-0x00000000010B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2992-318-0x0000000000300000-0x0000000000410000-memory.dmp

                                          Filesize

                                          1.1MB