Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 05:26

General

  • Target

    JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe

  • Size

    1.3MB

  • MD5

    e4dda23dd5768f4962c4538afbaf69a0

  • SHA1

    9dc3192471df94de1dc45fe5914f781711b5d0f8

  • SHA256

    d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a

  • SHA512

    8b53332e40808f9ea913490805afd829b984717d3d6b9da97c8080645c745be0c0f51f38fa18fa6c2a9a57c4c63d925cba6864b5c90c6605efbd024d83ab5713

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\fr-FR\fontdrvhost.exe
            "C:\Windows\fr-FR\fontdrvhost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1288
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3556
                • C:\Windows\fr-FR\fontdrvhost.exe
                  "C:\Windows\fr-FR\fontdrvhost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3056
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1620
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3360
                      • C:\Windows\fr-FR\fontdrvhost.exe
                        "C:\Windows\fr-FR\fontdrvhost.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4112
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4632
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:4580
                            • C:\Windows\fr-FR\fontdrvhost.exe
                              "C:\Windows\fr-FR\fontdrvhost.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2516
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4892
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4272
                                  • C:\Windows\fr-FR\fontdrvhost.exe
                                    "C:\Windows\fr-FR\fontdrvhost.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:3392
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3888
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:1672
                                        • C:\Windows\fr-FR\fontdrvhost.exe
                                          "C:\Windows\fr-FR\fontdrvhost.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:4444
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1772
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:5072
                                              • C:\Windows\fr-FR\fontdrvhost.exe
                                                "C:\Windows\fr-FR\fontdrvhost.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:3004
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4228
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:1500
                                                    • C:\Windows\fr-FR\fontdrvhost.exe
                                                      "C:\Windows\fr-FR\fontdrvhost.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1464
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
                                                        20⤵
                                                          PID:4460
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            21⤵
                                                              PID:984
                                                            • C:\Windows\fr-FR\fontdrvhost.exe
                                                              "C:\Windows\fr-FR\fontdrvhost.exe"
                                                              21⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3604
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
                                                                22⤵
                                                                  PID:3424
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    23⤵
                                                                      PID:3852
                                                                    • C:\Windows\fr-FR\fontdrvhost.exe
                                                                      "C:\Windows\fr-FR\fontdrvhost.exe"
                                                                      23⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2944
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
                                                                        24⤵
                                                                          PID:1148
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            25⤵
                                                                              PID:748
                                                                            • C:\Windows\fr-FR\fontdrvhost.exe
                                                                              "C:\Windows\fr-FR\fontdrvhost.exe"
                                                                              25⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4572
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
                                                                                26⤵
                                                                                  PID:4800
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    27⤵
                                                                                      PID:1924
                                                                                    • C:\Windows\fr-FR\fontdrvhost.exe
                                                                                      "C:\Windows\fr-FR\fontdrvhost.exe"
                                                                                      27⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3964
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
                                                                                        28⤵
                                                                                          PID:764
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            29⤵
                                                                                              PID:2144
                                                                                            • C:\Windows\fr-FR\fontdrvhost.exe
                                                                                              "C:\Windows\fr-FR\fontdrvhost.exe"
                                                                                              29⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1316
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
                                                                                                30⤵
                                                                                                  PID:1336
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    31⤵
                                                                                                      PID:4152
                                                                                                    • C:\Windows\fr-FR\fontdrvhost.exe
                                                                                                      "C:\Windows\fr-FR\fontdrvhost.exe"
                                                                                                      31⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3216
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1208
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2320
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\USOShared\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4588
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3044
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4132
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\unsecapp.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1848

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          baf55b95da4a601229647f25dad12878

                                          SHA1

                                          abc16954ebfd213733c4493fc1910164d825cac8

                                          SHA256

                                          ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                          SHA512

                                          24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          2e907f77659a6601fcc408274894da2e

                                          SHA1

                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                          SHA256

                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                          SHA512

                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                          SHA1

                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                          SHA256

                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                          SHA512

                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                        • C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

                                          Filesize

                                          197B

                                          MD5

                                          2b10494f09adf827afae857608d0997d

                                          SHA1

                                          5913963ba4e7bbfbde174105a9c584b2643dcb27

                                          SHA256

                                          e029a139d57e9d5b825c78e9b494baa13231669e331a6c4bd70ba0918abf96c1

                                          SHA512

                                          5d3607f5a2f27b09a946fa6a1bdf8f5055426e2badd50781cfc15458a83af73ded8d322bb0e797160e1f6627f0a83f3bac1a1a23dc5c477b0d53a6229d7d6219

                                        • C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

                                          Filesize

                                          197B

                                          MD5

                                          4a9c63ece9777fd3cdd0daaab95bff22

                                          SHA1

                                          6c2b249c4e56d71c0dabcc7ff605afc532035dec

                                          SHA256

                                          cb7dae9fa73de2533b5951824f6ecc5cb6be2f9bf29af96f6ce17ad26ff94ccf

                                          SHA512

                                          08461e572131aae398f54b826b6c565ac35868b9ad851f00fed3898bcc430acdbd6eabb5c76d545a26f2935ef70edbf1db7566d2aef6728e39d8a3b3afd68123

                                        • C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

                                          Filesize

                                          197B

                                          MD5

                                          187c9c3e9df52671d7855354645ea61e

                                          SHA1

                                          bb509fe8e98df7eb0bd026d792b00ccd27763d10

                                          SHA256

                                          54af4c9c6db65fe0d16c83be49f9be7ac0018421f644bdd5eb33778ddb1eb352

                                          SHA512

                                          6ae0f12018add6d7345ad68a6d71bcbf752a8d0a9573c6fe9a7512017bf0271510ad86a7de3a7fe7b2a668318b6084a2d4ddf2db8ff33c511b819b52159af738

                                        • C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

                                          Filesize

                                          197B

                                          MD5

                                          f09906dde90083c72a55bce93b030c22

                                          SHA1

                                          edf0f849d4a7154298bdb9f23492c2dd8426d22a

                                          SHA256

                                          5b206429a08ebbf1a48c9a7da7df81e7a8c0354a2f7eb17a06c05d3435e60c7f

                                          SHA512

                                          d9f05b0c5cdbe71c85d15ca380676e115fb13579f8edd8cb2b21ba7e36d05082108266063e0c78ff03eed7d1bf264b6d24f615aa5d5adaa74e86a0451eb3ca81

                                        • C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

                                          Filesize

                                          197B

                                          MD5

                                          3360d3aeb546e6ab72ede6f49ef9e2d1

                                          SHA1

                                          74e573f9fcc5184a918e5ed16d6413843bdaefae

                                          SHA256

                                          754891139f759be9e29925be1f0f9995faf3dfe400028ae613ce8c8870c36a2d

                                          SHA512

                                          5da16330025db8f0f287775eb9758b89786509440a6d8a75946d94195154ec3b1f68ab45a4f3b90aa2f28644a1ddec2aadce083736187c547b12cf6f4c947767

                                        • C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

                                          Filesize

                                          197B

                                          MD5

                                          12a0758ee878ef703cc538eceb2c4a33

                                          SHA1

                                          f7c6e734903571576bb0199c32ffc5dd0279b3b4

                                          SHA256

                                          791922e26d292a7c01b0caea02f53f20fb13aa21ebc15103d1441260185c3a94

                                          SHA512

                                          85dc95b1fe65417e67eaf2124275a574778cf577e1a18b944646d916fd98a6412f064fb17603a99d940f4e6695ee81d43c5f996bebb3c9b1394d46a361d5730e

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5n1q0xnt.zyr.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

                                          Filesize

                                          197B

                                          MD5

                                          51166fa424f18e8665ccbf55cab50da9

                                          SHA1

                                          809fbc081b055e36388af36f182b5f654c078063

                                          SHA256

                                          8551b97f71087485fbe19a1062d91a7b34041d67775a1a70a12b4a8051f84a5b

                                          SHA512

                                          c8a3040a936275341a7bb250d8e7eeee374a2b3efa81330060d8da8abd74ebf7a60ca2b2ef2890fffb5bee39a38b94ca43a18faf080ee61814c2951f9b837746

                                        • C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

                                          Filesize

                                          197B

                                          MD5

                                          720f11cdcc6d485023a41c967c849074

                                          SHA1

                                          d2bfe45f6e30d25d14cfddbbbce155d3773bfb2d

                                          SHA256

                                          1f8c931b594f3fa33fa139c8c379cffaad29bb38ad01a39d9a2310a6457b40fc

                                          SHA512

                                          936ec28e81f6df7a09b9c9830efe9ff064f13e947363affc0093d4ada2d06126cbe8b9a124d77f597ef201bc34adb0b406f9c4cbfa460b530feaa8e7b9e78132

                                        • C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

                                          Filesize

                                          197B

                                          MD5

                                          d9d8bb73d6f5dbc76721715f7fe81659

                                          SHA1

                                          e5cf54deae27e7ed8ac22539bb60130d362b6ab0

                                          SHA256

                                          62d1cdd69d5e141f058b16841dbac0607faf9e43dd442d31e4cada7e642260a6

                                          SHA512

                                          7586e3e36206e5f7dbfe2a54d1b6df9cfb6dbc3c8e431c4c4226bf562961c637047130cc56646627bad58f54176e27b827f13d8dd73a7f1a3ed209513442f1e1

                                        • C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

                                          Filesize

                                          197B

                                          MD5

                                          e6828e38f2518fc31160801062eda3f8

                                          SHA1

                                          ed36a47a2e66000ce407d2983d7ec391dd7c7955

                                          SHA256

                                          c3227ee2f5dace0078c86657ac6fde980d4b385d9e216a578efa0ae8e931d7b4

                                          SHA512

                                          1c5d393797f93fdbac7af82b1ea4fe9eb194f61a6491b5e8fd2ba4c557987c4e06b45d8bac14f19880cd9218483d351640ed64a91bc1c19ac6cc3e1aabfa087b

                                        • C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

                                          Filesize

                                          197B

                                          MD5

                                          d40ed4166a7481baecfa34f2445938cf

                                          SHA1

                                          aff973fb08a8713421b2969bf0e270fb0d180ed1

                                          SHA256

                                          f6d353e3aeaca1e3a386095996cee02dab4a2666954a7e4e289ea7ba12d635b0

                                          SHA512

                                          69a104aac9221eb086112f94b2e703661354e160eb4b3856ebd56df5f51f8a61fe9336f7e5b273f7bf27a1257b262e33270a0a2d7ae08c8c672b276be09d731d

                                        • C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

                                          Filesize

                                          197B

                                          MD5

                                          f7de649216e0cc0b593fc9c80b0ad768

                                          SHA1

                                          771b4646327ae9c2bfe17241b5f76027e6b3613a

                                          SHA256

                                          a8f9c9a8e7dff0d475e3e80f083991efbb82874674feba3d563abbce719a9ad1

                                          SHA512

                                          2d15642fb15a2c836a3ed8dba601cec2a971c07c71c32d6db1ab68a8d06ed41a669d3f57424df5cc66e49889c77d430c98503d6d80d56dfea49585558b8cd520

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1316-207-0x000000001C6D0000-0x000000001C879000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/1316-201-0x00000000014D0000-0x00000000014E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1464-166-0x0000000001770000-0x0000000001782000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1496-85-0x0000000003050000-0x0000000003062000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1736-46-0x00000177F8BD0000-0x00000177F8BF2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/1888-15-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1888-12-0x00007FFB40403000-0x00007FFB40405000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1888-13-0x0000000000D10000-0x0000000000E20000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1888-17-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1888-14-0x00000000015E0000-0x00000000015F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1888-16-0x00000000015F0000-0x00000000015FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2944-184-0x000000001CB10000-0x000000001CCB9000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/3004-159-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3604-178-0x000000001C940000-0x000000001CAE9000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/3964-198-0x000000001BFD0000-0x000000001C179000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/4112-133-0x0000000002620000-0x0000000002632000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/4112-138-0x000000001C030000-0x000000001C0D1000-memory.dmp

                                          Filesize

                                          644KB

                                        • memory/4572-191-0x000000001BF20000-0x000000001C0C9000-memory.dmp

                                          Filesize

                                          1.7MB