Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 02:07

General

  • Target

    JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe

  • Size

    1.3MB

  • MD5

    f6011a9af3bb76cebd2a579ef81b4dd2

  • SHA1

    887ba1dd251ff6270adfd66f305d9c6eb6e4bcda

  • SHA256

    af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760

  • SHA512

    7931a81e030fb51170e895d3170b8f30de6b9cbfb83c5201266b613a6a5747f71d930c2097af6d7f4f79b42c444ab5def0256fd9060fb4a65d225081fd652aa5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\WindowsUpdate\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4IM9wGN2db.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1300
              • C:\Users\Default User\RuntimeBroker.exe
                "C:\Users\Default User\RuntimeBroker.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3860
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1520
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4084
                    • C:\Users\Default User\RuntimeBroker.exe
                      "C:\Users\Default User\RuntimeBroker.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3080
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2216
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1964
                          • C:\Users\Default User\RuntimeBroker.exe
                            "C:\Users\Default User\RuntimeBroker.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4936
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:624
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:3704
                                • C:\Users\Default User\RuntimeBroker.exe
                                  "C:\Users\Default User\RuntimeBroker.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4676
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:468
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:4280
                                      • C:\Users\Default User\RuntimeBroker.exe
                                        "C:\Users\Default User\RuntimeBroker.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:1636
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1304
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:4516
                                            • C:\Users\Default User\RuntimeBroker.exe
                                              "C:\Users\Default User\RuntimeBroker.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4908
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
                                                17⤵
                                                  PID:3652
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    18⤵
                                                      PID:2424
                                                    • C:\Users\Default User\RuntimeBroker.exe
                                                      "C:\Users\Default User\RuntimeBroker.exe"
                                                      18⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4688
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                                                        19⤵
                                                          PID:380
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            20⤵
                                                              PID:3888
                                                            • C:\Users\Default User\RuntimeBroker.exe
                                                              "C:\Users\Default User\RuntimeBroker.exe"
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1564
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                                                                21⤵
                                                                  PID:908
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    22⤵
                                                                      PID:4112
                                                                    • C:\Users\Default User\RuntimeBroker.exe
                                                                      "C:\Users\Default User\RuntimeBroker.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4696
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
                                                                        23⤵
                                                                          PID:4408
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            24⤵
                                                                              PID:3556
                                                                            • C:\Users\Default User\RuntimeBroker.exe
                                                                              "C:\Users\Default User\RuntimeBroker.exe"
                                                                              24⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4836
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
                                                                                25⤵
                                                                                  PID:2284
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    26⤵
                                                                                      PID:4840
                                                                                    • C:\Users\Default User\RuntimeBroker.exe
                                                                                      "C:\Users\Default User\RuntimeBroker.exe"
                                                                                      26⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2768
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
                                                                                        27⤵
                                                                                          PID:4968
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            28⤵
                                                                                              PID:4200
                                                                                            • C:\Users\Default User\RuntimeBroker.exe
                                                                                              "C:\Users\Default User\RuntimeBroker.exe"
                                                                                              28⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:868
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
                                                                                                29⤵
                                                                                                  PID:3152
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    30⤵
                                                                                                      PID:2892
                                                                                                    • C:\Users\Default User\RuntimeBroker.exe
                                                                                                      "C:\Users\Default User\RuntimeBroker.exe"
                                                                                                      30⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3952
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\WindowsUpdate\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:228
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:892
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2844
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:212
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4120
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3196
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1280
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1700

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            d28a889fd956d5cb3accfbaf1143eb6f

                                            SHA1

                                            157ba54b365341f8ff06707d996b3635da8446f7

                                            SHA256

                                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                            SHA512

                                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            62623d22bd9e037191765d5083ce16a3

                                            SHA1

                                            4a07da6872672f715a4780513d95ed8ddeefd259

                                            SHA256

                                            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                            SHA512

                                            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            59d97011e091004eaffb9816aa0b9abd

                                            SHA1

                                            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                            SHA256

                                            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                            SHA512

                                            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                          • C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

                                            Filesize

                                            204B

                                            MD5

                                            536a37997a88ea8d7c4ddb478924a226

                                            SHA1

                                            80e3f5edd13110515a5c23d03de287bdc02d84e5

                                            SHA256

                                            4a4bbace3ed90662482d7025a542ef0c60a7bdb31dec666630b8adf3dc8c2afc

                                            SHA512

                                            bac1369dd64eaafbf20214ca76c491e239ededfcea99ed018f0888bec73b3a464cd598845904a21c8afdb0dc3741409c85b22ecce94859b77c7a005ebde13e40

                                          • C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

                                            Filesize

                                            204B

                                            MD5

                                            9be34514ee39eb1b215718af9333af14

                                            SHA1

                                            865a5d3b71463f27eff95709b0683f6f6478576d

                                            SHA256

                                            5b4a0ab95cecde55be83a8ce4fa51aabbf8437cbb927ef676ea0a1de8a84ace8

                                            SHA512

                                            556663a0953ef43497f496d89f38794b0367dd36f9640ded559ecdba49f6ff06e2a2c99bf617b5030bf45a2dd4d41ef8140419e17016962589c607c40187ad18

                                          • C:\Users\Admin\AppData\Local\Temp\4IM9wGN2db.bat

                                            Filesize

                                            204B

                                            MD5

                                            bdb91e06ed7ea847b27ba41883d091d1

                                            SHA1

                                            059b18213e55ddf0a77236510076f9bc868aff2b

                                            SHA256

                                            f7413909bfb02ab15288973db22da6cad40469acdc298c84fb683657a475c162

                                            SHA512

                                            7f9fc0004fbaff8d3e3dd50b2c4ff4c45a2d48af5bf9af4e11e70962db28881ae22a2a1320d7733c8d57cc74da74b8b4a8f817f288fd402a02c5724f97f0adf2

                                          • C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

                                            Filesize

                                            204B

                                            MD5

                                            3ba2dd71a971c394198131eee81a0140

                                            SHA1

                                            84583659068f3da8454a95ad35f14eb04dfa8898

                                            SHA256

                                            16528d7aec9ae8760ab73c786a3b1172e3c483adf96f4ae90360abbdec4fe596

                                            SHA512

                                            7842a374d77bd9699be599769dfe9652793d483bd6360e869c2f0670a123ed4b552d342c9c1881a50dd76a6a0767ffb9a11b0e905794f837d68d6343071825ca

                                          • C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

                                            Filesize

                                            204B

                                            MD5

                                            c3b733dd955e9ded9a52004d8fafe3a2

                                            SHA1

                                            369ac8eeb5f76a1b7524fabc5def75ab5ced8aef

                                            SHA256

                                            556d96f53b612b2d5923e9dd1c03f149da16af05fa4212208f707feb056d2752

                                            SHA512

                                            1cab6476b2d7dde5255466f4b1d61ec58ae2d038a74e2869a89e24779418c3908e0abab264407fb08a5e581994236b35ea0ded7411d0b236e52a09a4cb1f5e54

                                          • C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

                                            Filesize

                                            204B

                                            MD5

                                            206321ea2e02fa0d9d03f3c708bc4e8f

                                            SHA1

                                            e4bba8c68ee930cea061d85d2bb14b7c740979d2

                                            SHA256

                                            79e87d6838d755702358abd35c132af626894803e29fc70c3c8a7bd8709aad24

                                            SHA512

                                            5f62eb5b7f3847b0ef3a1037eef03832d61010ecdf6f681bd1f222791f239487a59ca65e12d0a2bb38f34e3874baab21fcb1cc9fc45fe561929de20da51750f4

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypuqxex3.2xh.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

                                            Filesize

                                            204B

                                            MD5

                                            7de1dd3e17706c780f0ec25ce22f079d

                                            SHA1

                                            f1231abb5450273dfba53cbbb70bec19b40566ff

                                            SHA256

                                            d775ca0d595a6a5c417f9f1563fad38317526fd2a251f78e1cacdaec382b7d5d

                                            SHA512

                                            de716963472c45f3ec1e975ea838ba2bc21e6ff32032572592249e41d776e92b63f213157a50936ad2f83636ac74679a82318a1a2e6d255036e33b443ef1c066

                                          • C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

                                            Filesize

                                            204B

                                            MD5

                                            b30a9507509645145df0dfcb17eed725

                                            SHA1

                                            773d41673143dcf4557b847f6ccc1e45e3d64eec

                                            SHA256

                                            890e7e18d0c507896a6b063ca059904284cb84a723cf5dcf4adbb33a770fc97b

                                            SHA512

                                            95c3ede2f3daeee2bb1f1b664266cee6abf4717a7240c89490b4f04e6818990e1575000854954c0249b18e87548a5a03f00758bed31ee3be2c200fbb6c4d74ee

                                          • C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

                                            Filesize

                                            204B

                                            MD5

                                            878d48fd22159d9c02fe96d2248001f6

                                            SHA1

                                            fe92e43a3324b11ff43e791241fd71864ad2d975

                                            SHA256

                                            82e8a0f85acd04f3a88922232ac48c1d59580b1755ac7368b7eb32040a72f7d9

                                            SHA512

                                            650ac05a48664a8a18b63420d617a2f93bd53fb45e287ca0c2c8fb6a8e0e50a36c978c1de3dcf85f67a49d1e99dce165d279f5f3307d25fb74f0e15642cda8a8

                                          • C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

                                            Filesize

                                            204B

                                            MD5

                                            0e4bb50bb4e4ca4e0f6d1aa2aaa321d2

                                            SHA1

                                            d4a3fce722db7df24549e98086fbe8229dc29617

                                            SHA256

                                            53669e687bcdce1597514608866129abbe548a011f30c47560dd667f9f298285

                                            SHA512

                                            120e9266f6ed77d7163cb7ba56acb263eff05b4c4abe92b13226bfc88dfecbd25c770b098c4281a25a6650598bd9af3156f5400b7f0bb4af0c1603f3b2295615

                                          • C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

                                            Filesize

                                            204B

                                            MD5

                                            ed9015b71649e433da0aa12540e3a10a

                                            SHA1

                                            e7948f73eb9735fb5205bc41f88420cc90a99e4c

                                            SHA256

                                            b468b712624bb5579f2d334eeabfb831dd57a0113b0c2f828144a99148c77da6

                                            SHA512

                                            cfd082426182d53c554e0eff885f99e8e1dc7f3e59ddb811109256d193b90a4942b6bf7cef6fcc32bc5c81c2ff6220dd13a0d0ec35728743da5f6e6ee14c6f03

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/3860-170-0x00000000011F0000-0x0000000001202000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/4184-48-0x0000014EF0B20000-0x0000014EF0B42000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/4836-227-0x000000001BFF0000-0x000000001C002000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/5092-16-0x0000000002BF0000-0x0000000002BFC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/5092-13-0x00000000008D0000-0x00000000009E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/5092-14-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/5092-12-0x00007FFBAC493000-0x00007FFBAC495000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/5092-15-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/5092-17-0x0000000002C00000-0x0000000002C0C000-memory.dmp

                                            Filesize

                                            48KB