Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:16

General

  • Target

    JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe

  • Size

    1.3MB

  • MD5

    cf0ad2d3ec0bbc4497b85dbb2f0ddeee

  • SHA1

    0b344c08f9675c6ee675a0f493b3b21863de0431

  • SHA256

    093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63

  • SHA512

    09ecc53ee18236dc934e613480f60bf0ef25504a3d33dc64e765121be95b5592a480b3848e116c380e4b5ff11d31e5924d35d4548b32ad6c46352661a167cb20

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093a393488a6f0355551284128a899e5bd76be3ab86a8861f5dfb906195c2d63.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHT\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3228
          • C:\Users\Admin\PrintHood\Registry.exe
            "C:\Users\Admin\PrintHood\Registry.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3364
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4848
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2712
                • C:\Users\Admin\PrintHood\Registry.exe
                  "C:\Users\Admin\PrintHood\Registry.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4212
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3948
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:4160
                      • C:\Users\Admin\PrintHood\Registry.exe
                        "C:\Users\Admin\PrintHood\Registry.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4248
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3436
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3076
                            • C:\Users\Admin\PrintHood\Registry.exe
                              "C:\Users\Admin\PrintHood\Registry.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4720
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1032
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2628
                                  • C:\Users\Admin\PrintHood\Registry.exe
                                    "C:\Users\Admin\PrintHood\Registry.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4920
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1192
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:1348
                                        • C:\Users\Admin\PrintHood\Registry.exe
                                          "C:\Users\Admin\PrintHood\Registry.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2640
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4716
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:2332
                                              • C:\Users\Admin\PrintHood\Registry.exe
                                                "C:\Users\Admin\PrintHood\Registry.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3528
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
                                                  18⤵
                                                    PID:3820
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:2028
                                                      • C:\Users\Admin\PrintHood\Registry.exe
                                                        "C:\Users\Admin\PrintHood\Registry.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:988
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
                                                          20⤵
                                                            PID:1020
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:2348
                                                              • C:\Users\Admin\PrintHood\Registry.exe
                                                                "C:\Users\Admin\PrintHood\Registry.exe"
                                                                21⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1872
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
                                                                  22⤵
                                                                    PID:816
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:3056
                                                                      • C:\Users\Admin\PrintHood\Registry.exe
                                                                        "C:\Users\Admin\PrintHood\Registry.exe"
                                                                        23⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4328
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
                                                                          24⤵
                                                                            PID:4828
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:1708
                                                                              • C:\Users\Admin\PrintHood\Registry.exe
                                                                                "C:\Users\Admin\PrintHood\Registry.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2820
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
                                                                                  26⤵
                                                                                    PID:2164
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:396
                                                                                      • C:\Users\Admin\PrintHood\Registry.exe
                                                                                        "C:\Users\Admin\PrintHood\Registry.exe"
                                                                                        27⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2248
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
                                                                                          28⤵
                                                                                            PID:5020
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:3724
                                                                                              • C:\Users\Admin\PrintHood\Registry.exe
                                                                                                "C:\Users\Admin\PrintHood\Registry.exe"
                                                                                                29⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4980
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
                                                                                                  30⤵
                                                                                                    PID:1640
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      31⤵
                                                                                                        PID:4016
                                                                                                      • C:\Users\Admin\PrintHood\Registry.exe
                                                                                                        "C:\Users\Admin\PrintHood\Registry.exe"
                                                                                                        31⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2596
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
                                                                                                          32⤵
                                                                                                            PID:4848
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              33⤵
                                                                                                                PID:808
                                                                                                              • C:\Users\Admin\PrintHood\Registry.exe
                                                                                                                "C:\Users\Admin\PrintHood\Registry.exe"
                                                                                                                33⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:5056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2632
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3444
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4164
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4968
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4156
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:876
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1616
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3380
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1352
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1988
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1448
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2056
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1556
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\sihost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2740
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1156
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3332
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2960
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3992
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4704
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4480
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5024
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4860

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                baf55b95da4a601229647f25dad12878

                                                SHA1

                                                abc16954ebfd213733c4493fc1910164d825cac8

                                                SHA256

                                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                SHA512

                                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                d28a889fd956d5cb3accfbaf1143eb6f

                                                SHA1

                                                157ba54b365341f8ff06707d996b3635da8446f7

                                                SHA256

                                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                SHA512

                                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                cadef9abd087803c630df65264a6c81c

                                                SHA1

                                                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                SHA256

                                                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                SHA512

                                                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                bd5940f08d0be56e65e5f2aaf47c538e

                                                SHA1

                                                d7e31b87866e5e383ab5499da64aba50f03e8443

                                                SHA256

                                                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                SHA512

                                                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                64B

                                                MD5

                                                f29c703e714479aef5d204d494b44fa6

                                                SHA1

                                                1aed3be5a2588a2702cd3ddef8600d80fb1fe67d

                                                SHA256

                                                af70fbef29b9f7842ad0cf36f02975c1d4b5753995981194d967b9fe3f38451b

                                                SHA512

                                                6cee929f3a2f0c279008b40fe2ce185fb51377365f870dfb35c0136930501331b69df8ac83ce9613f68b9a9e85f2869667ffe3d9c4ec40e63fc0cbd137388ad3

                                              • C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

                                                Filesize

                                                202B

                                                MD5

                                                1093321979fcf691fea81f17f04a0674

                                                SHA1

                                                834b79263936fb5c562cfc0d5a03a65a6832e290

                                                SHA256

                                                37b39f98769ddf45a5ca39d0321a7ac955dc11121b0e9cfa83bc31b63c02bf20

                                                SHA512

                                                b63f2aa2cc771e92a3823c208f5e3019308ec5b8ff8d57ed5720d04bcd0fbcd2f031e59a8fd5824060a5a3f7590a2d3110807a29e90ec8ded0934e35851310a6

                                              • C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

                                                Filesize

                                                202B

                                                MD5

                                                e20995ed64598e917afdc83e4d577baf

                                                SHA1

                                                2935b9916b3c20cc6828a7167857ff0188c76fd9

                                                SHA256

                                                121dd5ab26da595799969705699d40f7ce068629f0e0157f2c828f487c22d2b1

                                                SHA512

                                                8a98bb20a543ad951334ce2674233a603eb636142fb8358cab42646e87d31649e0fd092ae7468ef8f20546c9ddc11727dad8b5a855ef95da4460891ab5f7f90f

                                              • C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

                                                Filesize

                                                202B

                                                MD5

                                                1ee21650cfb3352ada9afed3f0e40f6f

                                                SHA1

                                                aa3f6c4224324a50296079b5069d7e1e99c0bba8

                                                SHA256

                                                a4384d6ed6e21c831cf8e2ba3705ceb9d00484c1ab2e2df8013a1249a09ed650

                                                SHA512

                                                f9cdf61ec0df46b45b6d32be44bdbd58e3103913fd085cd8f7c5c94236380a6fceb5d86f88df048424ad6846f2f841462ca32923805b854a77205365f88430d1

                                              • C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

                                                Filesize

                                                202B

                                                MD5

                                                b2b68904a1f26852a9573e54d6d1d949

                                                SHA1

                                                5f664bd68fb2a095352988bc9c21f0f622439bf9

                                                SHA256

                                                5f25179561c142c75707193ede02b6ffb6f7effba63e774a8fc90d7cd25034f6

                                                SHA512

                                                00b1296d4cbb8aff739e11510226e83138a3382fc38cb6795e0654d8bfc217d4d3372a7ba96c9b27066ec76acc2160911d519f290bda2d0985966a9c1c43a8f1

                                              • C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

                                                Filesize

                                                202B

                                                MD5

                                                39592c387ea6b501077f8e13bca90258

                                                SHA1

                                                0de2a1c5af7d8032dc0508869343a592c51b4a19

                                                SHA256

                                                e1220b55ab16594a136202f469df8cbfb08b5e15a84cf91daced8dd10dd1b370

                                                SHA512

                                                03ed3df9973e797c83f359dccfd0fdd531a54840ebcfa3a249eacbf05fded78cc84c6d3fb98666c8eb9ac7fa804e22dcaf952e4e82ff7c884085763a146e5995

                                              • C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

                                                Filesize

                                                202B

                                                MD5

                                                bf65dbd3d0f65982cc47705fbdc3f0bf

                                                SHA1

                                                5a2f00f6cf9067920b3f736c594235cfc94d030f

                                                SHA256

                                                345a75d95108b2b045db9f24915f6a1381f11303d0cab0dee618f0739746560b

                                                SHA512

                                                df0943c7495eb4b5e848e3471e65c4cf8582fc354a1a8be8b5bc4a9062c4e3dbf28004812b20c80d6f9bda150b950ba57782adacd2c622de45e37631d0560ad4

                                              • C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat

                                                Filesize

                                                202B

                                                MD5

                                                2d8b3e38a1b33a05007bbfdf716ae3b7

                                                SHA1

                                                23955c422e45dbe6e5c0bbd12d5e719876948f5a

                                                SHA256

                                                98ca1bcc53770d0f41380b790772336d9a1487f00171bcbf1890b2b877abd60a

                                                SHA512

                                                ee05702cd0a7cc0b2aba1e1d20ac4d0b635cb0209f0bafae0bcd04e9bdba952dbda202a11d2940362782ccf3e404c4dc854c21a122d46e5a3e7607a7186a776b

                                              • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                                                Filesize

                                                202B

                                                MD5

                                                cebaa995299ebd35bb487a4b3e9311b8

                                                SHA1

                                                78a0eb772be02ce07dcd1b33ca2750613914759f

                                                SHA256

                                                d00024715e2ffea1adc6be4ad47d03b7855e7e95c5f40dfac253484778a2d39a

                                                SHA512

                                                37e3a44eb3ee7078241519fd98d78f3f08622e0b1478bf8a3fc38563a0248fe2ed878dc6a73fe026d624bcfaed9e996e34f0a68bccc331685c6b83c63fcc50cc

                                              • C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

                                                Filesize

                                                202B

                                                MD5

                                                f508087a6d909b582a08d95111dfc441

                                                SHA1

                                                25b963431e48bbc8eeab37ddb2e15561227d3e07

                                                SHA256

                                                85dba0a073ab706c5de3a68cfee587498f60b848eea0491e2e85b5d70dd0ec2b

                                                SHA512

                                                07e2cdd63ab619838e8ee932738233946101748c1901f3a4bfadb483883deb3d505c2d2a06946643cbf9d4c5ea9554776ebc65b349b5163d2010a29203744ff6

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2s23u54.2ji.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

                                                Filesize

                                                202B

                                                MD5

                                                bb45a6c5e265e93b6dd5609c9fa72f84

                                                SHA1

                                                3f3d21aa2f47e68c61a8008e7f3ed50490b02c2d

                                                SHA256

                                                feec05e4a51587f6d9ea78a13c57f2d8e089a5a75a9cdac6ab54c09a68cc122a

                                                SHA512

                                                93d8d054865e21d0797cdf0df99c9832135564fbe83acf5a12cf1f630449679b6385d783eea65eb613887631a5e6c109dce38f2914ffc715f1f6dc0d30e3e209

                                              • C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

                                                Filesize

                                                202B

                                                MD5

                                                8d07d27e19c1ed90bd1d06a527ac5a62

                                                SHA1

                                                0c70a98d3971f4179eb9c6071a9a9fcd7080ba52

                                                SHA256

                                                0f3ab7c60cfe774c2c1f242e4cebe35b77bda42de9961b14ea3e270aa431ecbf

                                                SHA512

                                                e2c83d89fd46fa8c4ae8a9d61b74c7fa6dd07558e96259786f106b92a63625477544c09b64ecab8d4525322704acc21450e51b048c040d4d9e624acc905be21a

                                              • C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

                                                Filesize

                                                202B

                                                MD5

                                                fa8aaee0192d5304bf27eb941d5196c8

                                                SHA1

                                                56dff7f46567865aabda0546ad2ea45f8c3bb30a

                                                SHA256

                                                7edbd542a053218b859d9ba316ae46a4a220fbd6d3adaec8eb789a6d577efd57

                                                SHA512

                                                99d15ff60eee042c4a0b08cab0353e0ea5a0b31a16ea3c79b66e6edb453a55c9e146a173a302a5b12a40c5c452246e4c20ad1ceb508bb94e3a32a66897f4d760

                                              • C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

                                                Filesize

                                                202B

                                                MD5

                                                322db055cd633fa11409f83603cbd2ff

                                                SHA1

                                                e6f6ecc1a578314edf975153dfb66d3a22607103

                                                SHA256

                                                9f78fcfd4123eed68d097329f2371edc7bcb5a504aaeb5f2eb0b16fe664ad393

                                                SHA512

                                                c835f5244ae6a47914cd46fd6727b00deea6f98f5c1191d76c30d587a057e5f8d7592b48b86cb4767b74217dd7c45ca2955e564c712e9557e6d99617701f4ac2

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/2248-232-0x0000000003140000-0x0000000003152000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2640-193-0x0000000000AF0000-0x0000000000B02000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2820-225-0x0000000002B20000-0x0000000002B32000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/3528-200-0x0000000001140000-0x0000000001152000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4300-12-0x00007FFCD8EA3000-0x00007FFCD8EA5000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/4300-13-0x0000000000660000-0x0000000000770000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/4300-14-0x000000001B270000-0x000000001B282000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4300-15-0x000000001B290000-0x000000001B29C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4300-16-0x000000001B280000-0x000000001B28C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4300-17-0x000000001B2A0000-0x000000001B2AC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4720-180-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4984-53-0x00000262E9F50000-0x00000262E9F72000-memory.dmp

                                                Filesize

                                                136KB