Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 02:04

General

  • Target

    JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe

  • Size

    1.3MB

  • MD5

    b166b12f0a2a165bf6f2f7e7342a7a94

  • SHA1

    27a963429bdaf51ba631836aace4b0550e142afd

  • SHA256

    a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da

  • SHA512

    9c57fc7272948a4ffe38ac09caf61b8cd9b240812974e48daffa5acc002d5d6216bf1d6f1b8aeddd93a7d9d4138e941de75908edbf163d21e576573dee216528

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a30c72ef367d75102a40ab1cca7aaa6eb5c6553c39bef4d7843b60c7409237da.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2056
          • C:\providercommon\spoolsv.exe
            "C:\providercommon\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:896
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:388
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2668
                • C:\providercommon\spoolsv.exe
                  "C:\providercommon\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2120
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
                    8⤵
                      PID:2544
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2292
                        • C:\providercommon\spoolsv.exe
                          "C:\providercommon\spoolsv.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3056
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
                            10⤵
                              PID:2936
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2796
                                • C:\providercommon\spoolsv.exe
                                  "C:\providercommon\spoolsv.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1216
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
                                    12⤵
                                      PID:1900
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2668
                                        • C:\providercommon\spoolsv.exe
                                          "C:\providercommon\spoolsv.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1836
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
                                            14⤵
                                              PID:1920
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2420
                                                • C:\providercommon\spoolsv.exe
                                                  "C:\providercommon\spoolsv.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1360
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
                                                    16⤵
                                                      PID:1888
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2480
                                                        • C:\providercommon\spoolsv.exe
                                                          "C:\providercommon\spoolsv.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3056
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
                                                            18⤵
                                                              PID:1236
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:876
                                                                • C:\providercommon\spoolsv.exe
                                                                  "C:\providercommon\spoolsv.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1424
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
                                                                    20⤵
                                                                      PID:1936
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:3020
                                                                        • C:\providercommon\spoolsv.exe
                                                                          "C:\providercommon\spoolsv.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1164
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
                                                                            22⤵
                                                                              PID:2436
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1692
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2064
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2832
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2588
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2612
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2632
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2000
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2376
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1620
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:548
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1456
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1900
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2968
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2440
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2040
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1732
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1920
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\fr-FR\dwm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1184
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1876
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2908
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1076
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2984
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2956
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1700
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2708
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2100
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2180
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:920
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1204
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:828
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:956
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2504
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2672
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1464
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1888

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      8e32d69487c12d09e38aacb9b1cdd06b

                                      SHA1

                                      cf7245b2257edbad215c9a363538c773331ce644

                                      SHA256

                                      0b92a349d3d08c240eb72868012b7780c5ad4119bfbb1733879373cb01a006e7

                                      SHA512

                                      2eb7632166ccf6d21ae1af4289c42147ad8816112253b4107abe39efcb08e11522db2129ba09bd09fcd544bc491f0684e1aab10d742edbab4b4fc684bc7a8171

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      9d014be1e39e1110f3132e9d64aebdc9

                                      SHA1

                                      d526b198ffb7bf062e69b3462a8bcbee666ed9a2

                                      SHA256

                                      b1e6d649576351264d64a14bf55eab51d4f82a0e3565058b3d0070879ba11d8f

                                      SHA512

                                      b6b167c3423003ded7d08b553952be2e08ea7069d29d84614fc2759053120f756ba37e2c4d5274002b38a893a53a8866d83a9996890dd02b17f51d59bc80a0b8

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      f78ac8d2c2a6bd1a563c9ff59488a944

                                      SHA1

                                      08add82221fbb2392b2da871acfb847708700f55

                                      SHA256

                                      0c56e7e17d1763f45bd6dd95bc3a958ead357433d9f199ed2209eeb78d95692d

                                      SHA512

                                      d2ec73d98fccd19ae38ae8ee60963b53e5c0d2bf1c4665a1b0d6838aaf2043afe799051b6028a91a0b85c848eb6074a2173002f5d3863206b64863e7ef95689a

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      1f83b5de81751f42870c300d434e4333

                                      SHA1

                                      1fb4a08c463ffbff61075c8020b04f8b806d3ece

                                      SHA256

                                      8bb6786d6b7c74c9499307f31345af427c1fd46562dad64790ef1756ca742590

                                      SHA512

                                      89138c0efbda8063f432a166073bab589ea2a77b46ece911403e0df5dd2104617e17896fc6ef85857724972a337d590bb96c4b6ac9768196877cb4baa0b598c7

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      aa94150c8127b8d65faf05c471e37c65

                                      SHA1

                                      9f651293bbe8f9f97855148eef474c065c7583cc

                                      SHA256

                                      72ba945b10d65880bfaa2ef4852f64aac6a70955addebf2f939f0979dcd47a30

                                      SHA512

                                      cb9d0f50d90f55fa88ae938644abed2a8b9701765a588dd7311e8aa4891595a6a39efa9701465a49baa68313ff1e814c86a47125dfa273731d68f53d90a94288

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      7a0d9d47651d4e890e32c54c8e08782d

                                      SHA1

                                      0f3c4af07945354fecf9ac5781e259e2037b4f83

                                      SHA256

                                      4394fc17f73ac2f27af428ce1a70981e8047e0694e298ae0501c3aacaede8f5b

                                      SHA512

                                      e66527f84ccba03b87029afcdf04aedd2cceb006c89ac4a4baf6fd3bfbb4f53f5b8341323e954984dbe269a2653cf7243b14bf8ac6faf701bf83085049f60f9a

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      6266bbc30cb66150a5ac025fdf528017

                                      SHA1

                                      88e4cfe8303a011bab43a859891f9a03dd7a6215

                                      SHA256

                                      e9d4d242c6dc83d2e0244a44f9a34a865ad8e15523a03172ff7a7ee38b2477b1

                                      SHA512

                                      2bd820de8446ec3bfd0f70332aa7ff0457ef88c8204f0385332be932eb7c7c1271c99f15b3662f83719888949ef2eca679c48911940513873c0a9134b3d34864

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                      Filesize

                                      342B

                                      MD5

                                      a25a70315062d25b231c3c23598bc09b

                                      SHA1

                                      f89881b360c6490221c782edaea54ce38668ae20

                                      SHA256

                                      297c101ae43e23beccc1b4b5b962d2bb8e10638041f2c3255e3e0013a2491f7a

                                      SHA512

                                      87b8adddac456e90d4b0b98bd8191b1a7adca27c1b1f09de78d8a2db2f3a3fc59596dfbf07b021c06cf9c8e9a13d8fda1da24daee0eaf43d103658e2c86f06f6

                                    • C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

                                      Filesize

                                      194B

                                      MD5

                                      f62971ff421030a174f726a2556e4818

                                      SHA1

                                      bfbb11bb14d6bafed4a32f9a16f5f09953d44687

                                      SHA256

                                      928e941073a353a708c7272c68d35c178a32060dcceb458012712372ea92303c

                                      SHA512

                                      98556a91c7ea26795d393a3c82193d5b8162f41451262283b1ed294d32f46c4e9a1e9bdb40a76db6590c64783ac6caaaaf4e5e8278db6d27b22d3e24285d59dd

                                    • C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

                                      Filesize

                                      194B

                                      MD5

                                      0fd96b86c54c80e5626e006eeb3e5c84

                                      SHA1

                                      472bb297a26cd05a3041fd78ed0cd45206b19d1a

                                      SHA256

                                      31f47eb36786ee95c2fda83958c8d7c935c28ed8a249be5045c7f2e6c9fbff73

                                      SHA512

                                      a1b7eab581d10e57f91fcc550d649b1bd9bde6162c0a373ebacde33352e7790d4659d531f58721c12d167697c0976f108634fe6aab8411bd0de983bd7b603716

                                    • C:\Users\Admin\AppData\Local\Temp\CabE919.tmp

                                      Filesize

                                      70KB

                                      MD5

                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                      SHA1

                                      1723be06719828dda65ad804298d0431f6aff976

                                      SHA256

                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                      SHA512

                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    • C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat

                                      Filesize

                                      194B

                                      MD5

                                      3ca45749da1436e640c44f4933af4367

                                      SHA1

                                      74582c19d0683e569e42921c702f87f02b8c9379

                                      SHA256

                                      a82eca500424db1090ca9184b48b26828d749a94041c4556d091ced1bb2c78e6

                                      SHA512

                                      224a7cb16a2f443ddee18c860af6c7cce45c7c9b762f1bc46adfbe06296e35cfcd2eb3bd016b1288b8ea1479932da71cfbc78d2336e77c135a12980b144b4446

                                    • C:\Users\Admin\AppData\Local\Temp\TarE92C.tmp

                                      Filesize

                                      181KB

                                      MD5

                                      4ea6026cf93ec6338144661bf1202cd1

                                      SHA1

                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                      SHA256

                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                      SHA512

                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    • C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

                                      Filesize

                                      194B

                                      MD5

                                      9e5efc9b07fe2452028296ab8400ff13

                                      SHA1

                                      a31ecee044fc53b1a8ade24a370fd07fc7dd36af

                                      SHA256

                                      20566ef5736e69c1385f9a29890a3c7c1cc39672bb562842622e5d08284f0da9

                                      SHA512

                                      59a39ad67912a579403ae7b701c2341858a4940ccafdc25d89cb1f0fc70e0a7196575e5ce342ccf41e4cc3319ba2e99bb012b39d8abb0da6fa6505e0525cce10

                                    • C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

                                      Filesize

                                      194B

                                      MD5

                                      78e250fe7346a2c11940587ad994cec0

                                      SHA1

                                      6cc1b84db6bbeb7daf0ebfab1a137916fc56c673

                                      SHA256

                                      999e96f0a2f7801b68e108e53fe0613d0c1de1155474164ca9aeb33bc51ef877

                                      SHA512

                                      7025ff28a93eae68cac536ea52df11b40fc0cb28e5c5e9a680de574b8be91d27fe84abc7bbd5d5316bea280ec380254e59eb47ed2186435736bb551b738255f6

                                    • C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

                                      Filesize

                                      194B

                                      MD5

                                      49aef3945bdf57e82f255961f2cde01e

                                      SHA1

                                      b3de8a2de5dd42a581f3bbea0d7b891748859b5a

                                      SHA256

                                      6275d0d9dc85206671a49ca99bd87c69970e8c28439c8a44ff663a16018a393d

                                      SHA512

                                      ddf8f362905f491459ff78e99a2dc98744c732be34bd42c562bac97393423da44360b4084f173c1b35b8435c1e7c32737735280fa76ffe239458711f1e14389f

                                    • C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

                                      Filesize

                                      194B

                                      MD5

                                      a9effc838f07ef384f58a40a177cc6ba

                                      SHA1

                                      0daf8a4bff728077044467080db4ad29436173c7

                                      SHA256

                                      5fa20a86bddec36d23630644459de18635f1c44a8d029e78b01ec8a627b08b22

                                      SHA512

                                      57a5f6f93a15f2ce1be3d8b83d7fa4564b05edaa16684ab4f1955cff357a89c8ac8e01560b4c3a9083867ecfc9eb3d56475733d5473bb9625cdc3fdaf61e8f99

                                    • C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

                                      Filesize

                                      194B

                                      MD5

                                      2c04833263e2da683e6d782bc7a307e7

                                      SHA1

                                      d515adb07eb214add256c0446e6cd842c8a1a8a7

                                      SHA256

                                      724fbf74c6fc3fb0caf132c41a1f30419b7b8016e07f63d7901530aa5a2e8cd7

                                      SHA512

                                      1c045a583f6c4e4912e1f8d5aee17762775fee3bda8cecc32293bf20f4bf1ef0eed6748b935d9841c12085f0b53a17593163f049c17f6b17fa7ebfa5ec7c1d2a

                                    • C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

                                      Filesize

                                      194B

                                      MD5

                                      5612fa4859b0b5bf8f2f2d850da48415

                                      SHA1

                                      ad568464b07c2fc2f48bcf47c4b306aae221a4d9

                                      SHA256

                                      336702106efe85504444f6b59513b83e8f89a2a8f57e228fcaf111d28f6466ea

                                      SHA512

                                      f8b552f70cda8b02bd193b111eae5510bad1a23021efa8796bff62a09d6bbcd168bcce8735fe7cd9e10c45d49daa7ac225976857e6b0767fe0765cbb3c0f7c7c

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      ac3f78b06718783525dbd11f4ffcd483

                                      SHA1

                                      db9c0b5b0f3e8eba044d5a6fb2dabc7b399d22f1

                                      SHA256

                                      2bc3282f3ab1f3ebea69f821b60dc0347417ecb12daf6cfa07d64439582bebbe

                                      SHA512

                                      9c64779ba0db91a3191186994de9fcbcefa101de398caf6c3597711d4ce360915f5bea486c1edc4dec412f54979286e72b144c9b69a2875e7ff15d40813cb593

                                    • C:\providercommon\1zu9dW.bat

                                      Filesize

                                      36B

                                      MD5

                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                      SHA1

                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                      SHA256

                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                      SHA512

                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                      Filesize

                                      197B

                                      MD5

                                      8088241160261560a02c84025d107592

                                      SHA1

                                      083121f7027557570994c9fc211df61730455bb5

                                      SHA256

                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                      SHA512

                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                    • \providercommon\DllCommonsvc.exe

                                      Filesize

                                      1.0MB

                                      MD5

                                      bd31e94b4143c4ce49c17d3af46bcad0

                                      SHA1

                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                      SHA256

                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                      SHA512

                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                    • memory/896-48-0x0000000000800000-0x0000000000910000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/896-115-0x0000000000160000-0x0000000000172000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1164-592-0x0000000001020000-0x0000000001130000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1216-294-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/1216-295-0x0000000000150000-0x0000000000162000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1424-532-0x00000000003B0000-0x00000000003C2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/1932-54-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/1932-64-0x0000000002240000-0x0000000002248000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2120-174-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2324-15-0x0000000000360000-0x000000000036C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2324-13-0x0000000000110000-0x0000000000220000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/2324-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2324-16-0x0000000000350000-0x000000000035C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/2324-17-0x0000000000370000-0x000000000037C000-memory.dmp

                                      Filesize

                                      48KB

                                    • memory/3056-234-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                      Filesize

                                      1.1MB