Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:00

General

  • Target

    JaffaCakes118_d546b8669d3e456675447544bbc172a27648310b2e6276fd327f7c00f71339af.exe

  • Size

    1.3MB

  • MD5

    e8bbdad97a163cb2956c4e9866d95d16

  • SHA1

    9f66fbdb18609e87967f6a08438b044a6949a94a

  • SHA256

    d546b8669d3e456675447544bbc172a27648310b2e6276fd327f7c00f71339af

  • SHA512

    f7ad35f31bf495ef200119ed4b062854c60223191b05b221a45765e36713f3fc22971315de7d35dbe611037d3c0efb403ff40455023a5d918872b5b692aacc71

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d546b8669d3e456675447544bbc172a27648310b2e6276fd327f7c00f71339af.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d546b8669d3e456675447544bbc172a27648310b2e6276fd327f7c00f71339af.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\SppExtComObj.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
            "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:64
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4520
                • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2460
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2404
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1580
                      • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2616
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1844
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2088
                            • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                              "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1656
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4044
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4008
                                  • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                    "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1604
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4552
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:4728
                                        • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                          "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:1996
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1056
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:3256
                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4520
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
                                                  18⤵
                                                    PID:4048
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:2300
                                                      • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4548
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
                                                          20⤵
                                                            PID:324
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:2596
                                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                                "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                                21⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2452
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
                                                                  22⤵
                                                                    PID:2180
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:3684
                                                                      • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                                        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                                        23⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1268
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
                                                                          24⤵
                                                                            PID:4460
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:4516
                                                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                                                "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2116
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
                                                                                  26⤵
                                                                                    PID:2872
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:5048
                                                                                      • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                                                        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                                                        27⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2716
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
                                                                                          28⤵
                                                                                            PID:3152
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:4124
                                                                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe
                                                                                                "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe"
                                                                                                29⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4312
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
                                                                                                  30⤵
                                                                                                    PID:208
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      31⤵
                                                                                                        PID:4376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4300
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\SppExtComObj.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ModemLogs\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\SppExtComObj.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:368
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\providercommon\Registry.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4564
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3060
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1152
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3152
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Registry.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4876
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1416
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3368

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            1ca947063bf8c58838fa7455bd0b36d6

                                            SHA1

                                            045ce9620e4c4df8225e72dd1f5e6a3e2b977e53

                                            SHA256

                                            5eb2ec3df52dbc0b6404dc0fb61f76fc4cd510f56a799140fdece2e626da6142

                                            SHA512

                                            5e20dc999d0103d9927ab3ea3c272977e74cb0b63c0e533b9ea20094713155a4cd7d918dce6f50ccc6a3c6217439ae6bca87f44c6fc5752f9107a0e1efb8601b

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            cadef9abd087803c630df65264a6c81c

                                            SHA1

                                            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                            SHA256

                                            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                            SHA512

                                            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                          • C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

                                            Filesize

                                            247B

                                            MD5

                                            6577e72bdc2c429bc93e2cfbef668c6a

                                            SHA1

                                            10c0e8e80b03359cf5d949028000a9bac18d0113

                                            SHA256

                                            358ef10e47c22c5b50e48b7ce19e50c1d28b6d42416e40aff4b521fdb2e840cc

                                            SHA512

                                            52a0e8c2f284100ef8daac1a04a60f439dce2a218de8b462e65aea65aae84106c7527111fbdecbf47d923f044b1677a98e086aeb24224643023f69d3e174e796

                                          • C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

                                            Filesize

                                            247B

                                            MD5

                                            4c3972a437dbbfbd13f1973749c0959f

                                            SHA1

                                            d615d15d93d37bbcd9361e2ff89fc1c402c33225

                                            SHA256

                                            b23bce57ed7df41dedf809c8e703d609e33f7dcadf4c0a409f66693f9c58dfe2

                                            SHA512

                                            d1396b9ee5c6989f6744f5e598792c887cbf694fc17fab3c1445b51555d80c7ee793e7c5a150aaa332b40eb8414969bd0ef9025cb7f9c1f67daa35a6b39a55ab

                                          • C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

                                            Filesize

                                            247B

                                            MD5

                                            9b82ec8bf31f9d732add7ef390dcb43d

                                            SHA1

                                            d4497d290104066e0a42dea514be5d158a541563

                                            SHA256

                                            f80da1df8fd1293768ae807caf3e31b2cccf5756d1e22173cb7f269d07c21be4

                                            SHA512

                                            f01448440ca59b81527950700ed8b29ac4cb994bd4af170de145977ac50283a45d5d1049bd38db288c82dc5ec067e645a4c56914d2b5cadd1ddc27ecee20dcee

                                          • C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat

                                            Filesize

                                            247B

                                            MD5

                                            202ad0c574042271117cd82aa19d3805

                                            SHA1

                                            788031ab7f25b23c0c7ece6c55d695d3de0bc886

                                            SHA256

                                            6bca6b97ab2adc3c449e98ec6069763ffa3cadb31882142ad464dc47e07adc9c

                                            SHA512

                                            6a89f8eb689a07a1aa4bf22a5997cdfeb3216e969e8f04bcc437223729c78c8c413f2336d94e7c05723a1335e5cfc65fc1d533431305b7fd462ecc90e3773df5

                                          • C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

                                            Filesize

                                            247B

                                            MD5

                                            0a29091fe5ef3d34112197c937152d03

                                            SHA1

                                            577168f1e7b5d155eecb7f54d2bd76b03b1fd70e

                                            SHA256

                                            ebdded17b823fe996302d1df2f4c396854a4e672a9ea97402527eadbc066acb0

                                            SHA512

                                            5fa197e2aa1840fc995ecccc4f190d846c8eb66e49fc4260adf92daba95d167ef48901b9b11054e0a28f4d88b171cb2d708e9272b72eaa8fd1736303940a3112

                                          • C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

                                            Filesize

                                            247B

                                            MD5

                                            d65459f0f4079e0f8cc71b74574f0145

                                            SHA1

                                            805fd85475cd9fd1ec69fa1dd7946d6044673158

                                            SHA256

                                            1b531d678ea11384a5d7246aa86bbfb2b6578436a848e822cab7c0319e09fb50

                                            SHA512

                                            1f378ecec505c8ff8641be66d2fe994533856ef5ff8c6e7fcc0c1ba2882d954696ba97a9c850a1e1ca9c584e7bf0eb903519564338e60852c58e31a99ccf5f02

                                          • C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

                                            Filesize

                                            247B

                                            MD5

                                            adf987ffac5a0738adb876dd75bd68b6

                                            SHA1

                                            0dc27f720bfcb6b0c35e62a2a444e5ee1ae0bb4d

                                            SHA256

                                            242ae5619f4603aeb607ba86a20eb883e3853ae38b5b1427d878082272011bb3

                                            SHA512

                                            df7e4a70c4c23dd5399b6a9b88235f388aee02380bdd03bc79355d4684016f90a8cc3d60f269cf9833812a55603a86c949933f1764515df967f31282a2185d27

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0wfki04.ugw.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

                                            Filesize

                                            247B

                                            MD5

                                            735f0bd54a36ee17f7c141135f5e7d6b

                                            SHA1

                                            fd1d51fe71a49f3ebfe04fd59c76fd5ce2e09c36

                                            SHA256

                                            c351c23d62df2b0d0aede97ffb995b6452b8bda40a837e1eae74c31a7ad86c5b

                                            SHA512

                                            e04e49a39458b5a11089832a3969c23d02a3984ce9a1f0725f212e70b206a7dffbd475b21a40658427f855aa30479828fe463539efd1522fbeba6ac59187416d

                                          • C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

                                            Filesize

                                            247B

                                            MD5

                                            e6e822ffe092364c86d5f98995cd1f26

                                            SHA1

                                            eaf55e098cf7dcaf8625e3e39ec2b800af0b7416

                                            SHA256

                                            584f3f53c5254bb01a9b6a0e0aa27d0981e3eca6c2c34979ec06d49882e3a9be

                                            SHA512

                                            e48a43646d4d57a8712e0d6b61cd48c51194101ec14c6cfb0d1e402d003bbf3a1a2617acd49d312d88cfb0b7e12fcc0106bfa29539d55ee52812eccb2751c530

                                          • C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

                                            Filesize

                                            247B

                                            MD5

                                            6a60ed935a02db9b5e2c8a81d3f7fab6

                                            SHA1

                                            1c3796bdb133a560c198f27cfeca7d67fe3d81e8

                                            SHA256

                                            7b42e007ccd298a76c4cb2793ef99c653a3e8e29610eb2f679fb082fb9192971

                                            SHA512

                                            e9fb307d0037e6ea0d866eeadc0a547a9db49ffa911f80614c477efc943b9029c446000fd9387310b7d6d14197e1830b21dddc4c59285196e0ee777ff4e16f72

                                          • C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

                                            Filesize

                                            247B

                                            MD5

                                            f61142fbf7d8cfabee06b9d0cfd9bd9e

                                            SHA1

                                            b04e8fad65be47df4278883f90a58d91288125f7

                                            SHA256

                                            970299dfecbf18f390e5a7fbd4fe793a0a625e9f958811ad1c7463c00f0b81ed

                                            SHA512

                                            245d0a6791657e2105ec4ce622c4091cd0d43f58c9d9fbe8ae0631cc7f23048c57d2a1f38e897e8b22b9e462539b891360d26a1a3d8941af1c60cb2c12aacc3d

                                          • C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat

                                            Filesize

                                            247B

                                            MD5

                                            b9ed90bc5b659db6cebe406dc2031746

                                            SHA1

                                            701d2a73d0a7125ec6235db12ddae752e2d4974d

                                            SHA256

                                            6bcff6372fb5b4630918c5f2191001c18fb25d8e02bd18f5dcd615bd0704dcce

                                            SHA512

                                            74dcd6362e45a4cf334d5d0947b6dea15a8ad1807724a29e16cd73da8e5d40e39c961aa6f3bae58bea43429c700ebaf5ec94b9c1eb0f771a297804df523db800

                                          • C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

                                            Filesize

                                            247B

                                            MD5

                                            0bbd68d97155201e723d92a074395f8c

                                            SHA1

                                            751a6f68d5be9cfe4f6862a2cb382fe985ba424b

                                            SHA256

                                            e81ec834f624a4ed3294eef8a53ee6cf1c5ab537158dc26f440b8132ba696ca5

                                            SHA512

                                            896f770d206f98405577ba9cef7840640b54de525fc650d37ea53d17a507b4295ed01ced348a2aae2452c68c22b946a3cb06836fc70eafeddd2d463d60d58f6b

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/1140-17-0x000000001BA70000-0x000000001BA7C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1140-15-0x000000001BA40000-0x000000001BA4C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1140-12-0x00007FFC03FE3000-0x00007FFC03FE5000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/1140-13-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1140-14-0x000000001BA30000-0x000000001BA42000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1140-16-0x000000001BA50000-0x000000001BA5C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1604-179-0x000000001C720000-0x000000001C8C9000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/1656-172-0x000000001C3E0000-0x000000001C589000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/1996-186-0x000000001C810000-0x000000001C9B9000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/2616-165-0x000000001C060000-0x000000001C209000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/2940-50-0x0000026D1BD90000-0x0000026D1BDB2000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/4312-226-0x0000000002AE0000-0x0000000002AF2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4548-195-0x0000000001830000-0x0000000001842000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4984-82-0x00000000013E0000-0x00000000013F2000-memory.dmp

                                            Filesize

                                            72KB