Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 02:06

General

  • Target

    JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe

  • Size

    1.3MB

  • MD5

    3afbb9ac7578d423d44c72e66807b4c3

  • SHA1

    f4c4fe2861e2d8f9266e49867c15568e0ec0b936

  • SHA256

    3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71

  • SHA512

    50373cdb531773d266b7046aa60b1c57f5e7e54a7ab69da21ef499c0602cfaf42a1ab8c2a531717c2f22ec156b0f733080b8601eb79bbee73c22f04cbdcd35f2

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ba70aa58be376d93abfb1a5812fdb5616e63bf635db2d5edc58b0aa4b1d5f71.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1916
          • C:\Windows\InputMethod\RuntimeBroker.exe
            "C:\Windows\InputMethod\RuntimeBroker.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3044
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5024
                • C:\Windows\InputMethod\RuntimeBroker.exe
                  "C:\Windows\InputMethod\RuntimeBroker.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4012
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4724
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3920
                      • C:\Windows\InputMethod\RuntimeBroker.exe
                        "C:\Windows\InputMethod\RuntimeBroker.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3264
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2160
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2860
                            • C:\Windows\InputMethod\RuntimeBroker.exe
                              "C:\Windows\InputMethod\RuntimeBroker.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4388
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3660
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:1628
                                  • C:\Windows\InputMethod\RuntimeBroker.exe
                                    "C:\Windows\InputMethod\RuntimeBroker.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4416
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4428
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3292
                                        • C:\Windows\InputMethod\RuntimeBroker.exe
                                          "C:\Windows\InputMethod\RuntimeBroker.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2264
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1984
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:1128
                                              • C:\Windows\InputMethod\RuntimeBroker.exe
                                                "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2136
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
                                                  18⤵
                                                    PID:5056
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:444
                                                      • C:\Windows\InputMethod\RuntimeBroker.exe
                                                        "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1976
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
                                                          20⤵
                                                            PID:3136
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:4836
                                                              • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                21⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3600
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
                                                                  22⤵
                                                                    PID:1148
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:4112
                                                                      • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                        "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                        23⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5076
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
                                                                          24⤵
                                                                            PID:2336
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:1392
                                                                              • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                                "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3692
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
                                                                                  26⤵
                                                                                    PID:852
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:3544
                                                                                      • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                                        "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                                        27⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1468
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
                                                                                          28⤵
                                                                                            PID:3896
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:452
                                                                                              • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                                                "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                                                29⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:796
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
                                                                                                  30⤵
                                                                                                    PID:4060
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      31⤵
                                                                                                        PID:5044
                                                                                                      • C:\Windows\InputMethod\RuntimeBroker.exe
                                                                                                        "C:\Windows\InputMethod\RuntimeBroker.exe"
                                                                                                        31⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1912
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1196
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2136
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2056
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4252
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1144
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\providercommon\sihost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1208

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            62623d22bd9e037191765d5083ce16a3

                                            SHA1

                                            4a07da6872672f715a4780513d95ed8ddeefd259

                                            SHA256

                                            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                            SHA512

                                            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            cadef9abd087803c630df65264a6c81c

                                            SHA1

                                            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                            SHA256

                                            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                            SHA512

                                            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            59d97011e091004eaffb9816aa0b9abd

                                            SHA1

                                            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                            SHA256

                                            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                            SHA512

                                            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                          • C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

                                            Filesize

                                            205B

                                            MD5

                                            8a9212673ebd11f7e9a74d3acd28586d

                                            SHA1

                                            3d0dfa1152a7de92a3bd4251c24c6d5cd0a5f507

                                            SHA256

                                            87ac096187c2ca4bfd1dce302c398377aec20657d3be0a65e267b350b532f97e

                                            SHA512

                                            3183cf89ae95874062f3d684bedb0ac7af45c1cafa8e6fc3ce30479cf8fe3935ff4c523cb8faadd55a073d2e20e3f4704b539ca9ac5d5cde2383835dba7b0774

                                          • C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

                                            Filesize

                                            205B

                                            MD5

                                            bf683c655e875c5953206abd27fcc2ae

                                            SHA1

                                            2123f4602d9c7f45edd7b71322b054edcd99a8ea

                                            SHA256

                                            01d1bd5c203f5cdcc3acda14b6d1b64038b0695327aa17b41836f41424dcb405

                                            SHA512

                                            87a37f805a062f6f7dcc0364e0c5153b64c4cc94bd96b417760b0038ae439e0197f2e71ff603e5a68ac7479fbcccc764164ff187bf14de42ddb4613cd72271ad

                                          • C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

                                            Filesize

                                            205B

                                            MD5

                                            ba65f6e62dba1bed99ebe8be4474546f

                                            SHA1

                                            8a52cdb8657ca766352f5ebd040f229522bcde80

                                            SHA256

                                            3afcf6cb2768d4996cd8615b5f38df8692de2a6626e927cead6f1ad47a2c859a

                                            SHA512

                                            a5660adf183da92f3bd19c77dd361ef5bc5b721efe1594490c5efb19240d7011f6746d246dd6fffb410d762fbdf411976bdbae379fde495abc3db58ed7403500

                                          • C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

                                            Filesize

                                            205B

                                            MD5

                                            e13e7911980041d1a5ec2868869c2a90

                                            SHA1

                                            fe2c24eac2c70f75b0c373c3b93f8498d2d38f3e

                                            SHA256

                                            c2e6f06413663727108242c80fe16e2204cf5404baa3b45e45961d101ecd97b9

                                            SHA512

                                            26d3acd1138cbf03e1bd7b3f861c85b05f90cf079fd0a61f1b2f93116ca631992cf01df78db9a6d362c735022478bbe5442b8cfcc4d446bc1020545264868c99

                                          • C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat

                                            Filesize

                                            205B

                                            MD5

                                            4cd862903994696b433e922e220913b2

                                            SHA1

                                            b3654cb6c0ce88a874874aa092abbe055fddd174

                                            SHA256

                                            25d2bc89bcd17f5c33bd0ebc65813d36ab97df570fe3f94b516a86f3084ba38b

                                            SHA512

                                            c32cd56ac1b74ecf1aebe60d376eb851a5a1c83bf8f6c6ac22baafe5fa7f8eb68c7dd7bdd0744702db822a8b3074b5657f06141abab525640b05819ee9a874c9

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcqkqylh.ugj.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

                                            Filesize

                                            205B

                                            MD5

                                            75ab3c25f378e5f97de2f7eee2201e43

                                            SHA1

                                            8d4a7e326cf3efc81288f6d412319531e090eae0

                                            SHA256

                                            b1724845265c175a03eef336127b833942f3f106c658e234cb862c6c84e2506e

                                            SHA512

                                            5444d26066a41e765097d5a8cd600e514b6177e172e5c0d627c0866df8615bfa5883e97b5c1c0c6f4dbd60be2598e11c2d687438a492327240cc2233240e1a8e

                                          • C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

                                            Filesize

                                            205B

                                            MD5

                                            2c8a53b9cd5816ec45038f05246144a7

                                            SHA1

                                            c63cdb7551c3a1399d05c7546d424a11e3db413f

                                            SHA256

                                            249743a30f48a26a8446b462cf67888b9bcf482de50f7d9fac394d9d87ddfaae

                                            SHA512

                                            bf44d72003ab1081ace825196e0f8124c143f79579371596bf9889ac487ea6fe94943ce85bc44e12b0efaf2f604898bf7aa8431314572ea6b52ad9388a4f0cf3

                                          • C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

                                            Filesize

                                            205B

                                            MD5

                                            452c1aa57d4e3c456c53d80fd75f4b08

                                            SHA1

                                            aa25f99ccb9a3dcc1ffa0d940c0bc145bdd8ad75

                                            SHA256

                                            544819aecac19564487329d030cf982f79402fc63c8b7cd10207d81cc33df0ba

                                            SHA512

                                            961b256f3091fc17754cfa2e0449244bc2790a3f49de0ef0005204b900abb666758fa92cc1deb2083ab17c20c79ee3ae7e88ddb4551cc1a77d09317020749dcf

                                          • C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

                                            Filesize

                                            205B

                                            MD5

                                            785eb6bf213f59ea67913d413df42afd

                                            SHA1

                                            106c2a385123069041a75524006277acd6614179

                                            SHA256

                                            00abdbccd3fd5680b86c829cea6090d1eaa1363ab3bd276f5c0b72304afe8ea9

                                            SHA512

                                            35fa61f0aa77272e25c436f877f7e5b37c03ef96232fa9c266a8d8044ad05808197aa9aaee7a9615059453864f37786d9d1242c5b75e7ad5e74fc0b08915a76d

                                          • C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

                                            Filesize

                                            205B

                                            MD5

                                            b92f6bc8b31c0b87e03814e267ad027f

                                            SHA1

                                            96e36709f5d00d04af136082f243a915063c06a1

                                            SHA256

                                            8752dc3386bd20eee5370e9252a6030f477193e38eff9c211543988724c5e467

                                            SHA512

                                            36f34d135ca07f28c3a9f959514f763edc7ea4bc80d697473960453cb4b10004ee966238543598000ce2d35f9accfc5e7183186f12e40e3fe4f3b1a487cae595

                                          • C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

                                            Filesize

                                            205B

                                            MD5

                                            ecfd738689fbb34d99cd4a4d533faa80

                                            SHA1

                                            51dfea38c656c9489e0af7c9b972096f6691335c

                                            SHA256

                                            5f7251432653c9116053c5facc3cc7961f8efe9a35d5d9406897be1766cda0c5

                                            SHA512

                                            0c677e22d091968bf56522c9d21f8e8ceb66d64de3e3e46d53feaa2a67b47fb078359c73e73f257daed722c5571bba44954a42b674008eeb86a0e041d216ca1f

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/796-217-0x000000001D140000-0x000000001D2E9000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/1372-15-0x00000000017E0000-0x00000000017EC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1372-14-0x00000000017D0000-0x00000000017E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1372-13-0x0000000000E00000-0x0000000000F10000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1372-12-0x00007FFDB5243000-0x00007FFDB5245000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/1372-16-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1372-17-0x0000000003000000-0x000000000300C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/1468-211-0x000000001D340000-0x000000001D4E9000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/2040-48-0x0000023AF0A30000-0x0000023AF0A52000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/3600-188-0x000000001D9C0000-0x000000001DB69000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/3692-198-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3692-203-0x000000001D680000-0x000000001D829000-memory.dmp

                                            Filesize

                                            1.7MB

                                          • memory/4416-159-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/5076-195-0x000000001DA40000-0x000000001DBE9000-memory.dmp

                                            Filesize

                                            1.7MB