Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 04:39

General

  • Target

    JaffaCakes118_baa790bb56caf85c5c09ab3fd4099e70a5cd82f17d267be7246a093bc4e671bb.exe

  • Size

    1.3MB

  • MD5

    58a5481b8ddad2ee22d5ca4a7bd0b264

  • SHA1

    e7ad44a02c67898789c9af87661b01bb8d7fc849

  • SHA256

    baa790bb56caf85c5c09ab3fd4099e70a5cd82f17d267be7246a093bc4e671bb

  • SHA512

    e302e387e4ff10e7f1ea05b4e6d76da3329f1c07b71b1bbaab708d8030eea825a5ac5b2ac58ed10a68ceae88495908e15ee706206c0a98820d3fcc997abe08e8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_baa790bb56caf85c5c09ab3fd4099e70a5cd82f17d267be7246a093bc4e671bb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_baa790bb56caf85c5c09ab3fd4099e70a5cd82f17d267be7246a093bc4e671bb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:448
          • C:\Program Files\Uninstall Information\csrss.exe
            "C:\Program Files\Uninstall Information\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2768
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2284
                • C:\Program Files\Uninstall Information\csrss.exe
                  "C:\Program Files\Uninstall Information\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2892
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1296
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2908
                      • C:\Program Files\Uninstall Information\csrss.exe
                        "C:\Program Files\Uninstall Information\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2748
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2804
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2164
                            • C:\Program Files\Uninstall Information\csrss.exe
                              "C:\Program Files\Uninstall Information\csrss.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2832
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
                                12⤵
                                  PID:2480
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:332
                                    • C:\Program Files\Uninstall Information\csrss.exe
                                      "C:\Program Files\Uninstall Information\csrss.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2184
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
                                        14⤵
                                          PID:2232
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:1532
                                            • C:\Program Files\Uninstall Information\csrss.exe
                                              "C:\Program Files\Uninstall Information\csrss.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2908
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
                                                16⤵
                                                  PID:1604
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2408
                                                    • C:\Program Files\Uninstall Information\csrss.exe
                                                      "C:\Program Files\Uninstall Information\csrss.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:788
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
                                                        18⤵
                                                          PID:2212
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2700
                                                            • C:\Program Files\Uninstall Information\csrss.exe
                                                              "C:\Program Files\Uninstall Information\csrss.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3052
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
                                                                20⤵
                                                                  PID:2240
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:1656
                                                                    • C:\Program Files\Uninstall Information\csrss.exe
                                                                      "C:\Program Files\Uninstall Information\csrss.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2140
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
                                                                        22⤵
                                                                          PID:448
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2280
                                                                            • C:\Program Files\Uninstall Information\csrss.exe
                                                                              "C:\Program Files\Uninstall Information\csrss.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2516
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
                                                                                24⤵
                                                                                  PID:2040
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:2668
                                                                                    • C:\Program Files\Uninstall Information\csrss.exe
                                                                                      "C:\Program Files\Uninstall Information\csrss.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2128
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
                                                                                        26⤵
                                                                                          PID:1268
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:2992
                                                                                            • C:\Program Files\Uninstall Information\csrss.exe
                                                                                              "C:\Program Files\Uninstall Information\csrss.exe"
                                                                                              27⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\ja-JP\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2148
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2208
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2892
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2612
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1496
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1100
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2940
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1264
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2264
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2368

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4b3b2778a7f897abfba5dae8b04790a2

                                          SHA1

                                          9f19f3e7b42bbb0259ed41f9731f93701ee148af

                                          SHA256

                                          d1d2397b8616b85517632a1314a34715a30c019e2d520ec4d4a7bfdf23b5a123

                                          SHA512

                                          443c9d9eb0e1767b02f8776803e20d06269c4bdb028df3cbc15724c19fef32a13fed65e4505fb44091672c5c9103431211c606c9965721e47dcd10ac152c70f8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          76768f922788402ab22e6be2bce0c9a5

                                          SHA1

                                          bb12573b999fdacfede2cd37843952b6acc99229

                                          SHA256

                                          abb352800c89411554f4fad88b979cf9f86acbc86f22aaec5ea894f3a4e9d867

                                          SHA512

                                          53e3e40c0c88bbfe3c116ace6f420d795aa79e7902c5dfd133f51a7f25a71ee076a48362931f2f8e34c6598b9317c99b8f3c3c447109fecf8218c071795edb87

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          239edb99ef04a264fcce255f49252eb2

                                          SHA1

                                          6013874894f6689fefe9530481d8619a322c4892

                                          SHA256

                                          9aafcf7b1cdcf29c78a63d25722a5828b7542092531ee5209d3856cf2d654d24

                                          SHA512

                                          561fa0954a0271de31767f8016283bc2733470b498056146fe82a4300ac32ac1f727dde4598667d447cfc89d9f137ffe4c8e0775ec1174902b0d787921682596

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4fcd9ba5de09685eb8a2f5d478e6074f

                                          SHA1

                                          343f621e34ca0da90e9114178f2838c1eb02cff9

                                          SHA256

                                          f8ce721cc0961b4497b62d7c5d5c79f62876da5ad7986f4e245d50827ed99ca8

                                          SHA512

                                          c2d6801c38e7bb04b40f6195cce3b8d37f1ee3218d3c7b4e33b31e474562332c63245505104014b23a65793c58dedd5e670be69a1cab8ecf0e8cc6323c4058e4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          18e2b64b542cfb68777ea776e393d9ad

                                          SHA1

                                          0faf7b8568d66b44bd7c28b744e306f4a1f949d9

                                          SHA256

                                          3104469ebd2d0fc3f9dad69e1d0943657f340b2484fb0096591fc02b29c273e8

                                          SHA512

                                          7cfa6c9de8dd7359b5c419aa1e19a20c59bc869dc83dee96be34373130146e1602b5bab23aeb0bc5d3201ed4dc972a94be4ce8717255e2149f921a3e1adf011a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b3762bef194f68feed8197418c3642ee

                                          SHA1

                                          47e30d183ac7d3ab01fd516b25b8b04ea52c468c

                                          SHA256

                                          1b13052b38201d87decc4a1522ea47f017a9e32ec91677be3a40befbfa666420

                                          SHA512

                                          9baa06c4c7f4b14a5b6f12075906c8c1256468110fa27212f62c95a6e99587043f779200d65c68ac4cc73cba12c3510a1103b784bc4e195a321dd0e50bf2f835

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8b07e9021aeaf7e56171b9a6235a965f

                                          SHA1

                                          ad1b1657ae91ddbffe2040c12e3478c36e64bf5d

                                          SHA256

                                          80f4e7adfab0eff0713ea54d9bb32c4a4fced155ce1e0ee05916c91fac46706f

                                          SHA512

                                          dda74d80810b4107b96657859af99460b7c5eb49080669392036d5ecff3c89ecbf1ceec976c3c6e652ac11696ccf602f2a11a9293417811cdf34a32fb6efad3b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          446194d63881d8e292fcc64d5e5a002b

                                          SHA1

                                          fac700bd86b56d9a4e4cf606d36ab2ac18ab63cd

                                          SHA256

                                          3a713e7b67421990edee4c8f36d34820ff18f8d46074de11ad460110095ac169

                                          SHA512

                                          f6b69c9b195befdbcd6a1b6a71b11bfb0508bd1b1c471787376d0b4d77f237445c2316e6bb92ee70e438d3d041dc1b9942685448d937a1990f36223dffedf8da

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f1c5850b1a531ce49f3cd7f67869a1f4

                                          SHA1

                                          f17641af2bcbb791b3fcd76f7b6ebe79d359bc6a

                                          SHA256

                                          c559ad9173e416a7fcec0218d65807e46e11274fe30a0b1dc2a16e21c4ac0fe2

                                          SHA512

                                          9751ed9c2390e792b206a712ce441ceb29951fdd1d575169516478f59bc4d6c215badb8db1a0a4e28cf78289494b22797cbf017d71deb4dd27fa7f1f72b66e34

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e0cbddd9b7b288cf5042ca7a526cd865

                                          SHA1

                                          17c26f1e33d4f2aa2689a8235eeb893391dec45a

                                          SHA256

                                          85a5e5a88a8b61e01b99c4fbdc4af71fff7f962abd58c2417e5d97d8eb938a32

                                          SHA512

                                          910d84d8a2cee142364f1ddb66aa62137c1e8b8cca4ae67fe16f596432e5890530d89771805d14981a15b50353a4fd2e1ba2e54da5df8e7b611ee0ed348b7196

                                        • C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

                                          Filesize

                                          213B

                                          MD5

                                          24972d96f698bef575625444701f7522

                                          SHA1

                                          3ead6074bb3467c92eed8c37d932c847076f4d9b

                                          SHA256

                                          1520f4058d12278ac35cc9db92459e59a9360e0a90dac2199fadfca21a5500b1

                                          SHA512

                                          c308668dae5f026674626624202caf215ce15a5372e387b5e446f82bb690fa8c7771e34740bcaffa5e5ed6ce0236dfb31c1ab1369b0e15b280f4e76acb790c45

                                        • C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

                                          Filesize

                                          213B

                                          MD5

                                          3428bd11555432b7beca2db2a580eeb7

                                          SHA1

                                          ac06777501114b5c01ce962a972aae7d8072f6b4

                                          SHA256

                                          d3a654f4ba9e6598d3f8dc0174c25288b4e0eb173d3ac5aba7edeae73f29ef1c

                                          SHA512

                                          ce552807c7ad2940b96487864b641c36505b7324f7295b96af553dd3ac3406214ac89a53cb0fc3e077dd04a87ea511bfaa40bc281d5fa27a5f92181a03808201

                                        • C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

                                          Filesize

                                          213B

                                          MD5

                                          40529ea4d91295c69bbf3aa56042a8ce

                                          SHA1

                                          75fbf936c6f4d24b9c119ec4c9e7bc262c146538

                                          SHA256

                                          06fa2c2fe82e167b7f52523303cacfab25c42ea73df49881a1b26f80844adc76

                                          SHA512

                                          77086f38a55e45bd827436656170fd6b5692af65d908739a4a1a5dc30a24649573e7e6c25a42f6f1e00bfa4abb41d04c339446d14fcbf4524ffeb654253d5816

                                        • C:\Users\Admin\AppData\Local\Temp\Cab3890.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

                                          Filesize

                                          213B

                                          MD5

                                          4f945e537dba2580607f3c667c9059c5

                                          SHA1

                                          856593ce1164d4fa969b633edda6aa5fdd70202d

                                          SHA256

                                          ca34404366973f45bce2470f3b36364fa974a2e5e158c435bdcfd8f85846ae7a

                                          SHA512

                                          acdcccaa4113e61763e8b9db1f6fc14ac6e4bb0c908fbcbe033fd60acd5d9ce5490ae9eebbe1faf7e01b6cbf6e26137a48abe349c837bf0f13412c590edb54df

                                        • C:\Users\Admin\AppData\Local\Temp\Tar3893.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

                                          Filesize

                                          213B

                                          MD5

                                          3e9aaaa10cb0999591ae68b5325535ab

                                          SHA1

                                          5c8152b2582fb19b96e65938ac7b433f70526f51

                                          SHA256

                                          08d5f0b979ba1addc7eadd5e82779e35c89ab12a34b7adfa85efbfdf33ced5f1

                                          SHA512

                                          d753054160838d479dc10fae7673a159a9a9c8cf617e96c83486f98a5fc0b02f2519e9e02b5e29a016f8855318fd1b991d6ca777e03c3c74d076ad7f1822b6c1

                                        • C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

                                          Filesize

                                          213B

                                          MD5

                                          d374719d13ee3d1f870e83339bf33563

                                          SHA1

                                          86198c0bf13fcac616e688253de8c7166c35760d

                                          SHA256

                                          a690642ca25751fa85b88c7a79f8e0a830035276a0e4773409a094cd3d1e9f43

                                          SHA512

                                          f1099f93436a9cb93dad3134e8720987f5bc642b50db8b280b828d2b21c2920f62ffa7b4e11a178a7692505b2fb1203d9c0cb972179c054ce6b1482ab53d4aa5

                                        • C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

                                          Filesize

                                          213B

                                          MD5

                                          3467f8e81e209cfe02719a491d45fec2

                                          SHA1

                                          39d3c971a1e3e3ea4d2b1b783dccf7fb2bf5bf55

                                          SHA256

                                          6336854fdc818d2a434be8d7d5d5c00d21b0d6c2c437ee436f3c724315938097

                                          SHA512

                                          4e883143a86601cea45bc70dab78bb6dc4958e43e89c3683aec11ea3e7b6f8aa78c367fa97138b3a8d525f82b08e4bf1e9aa62b45eabc09600054576c91866ef

                                        • C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

                                          Filesize

                                          213B

                                          MD5

                                          af4229e0599c625716a34dd6dc104866

                                          SHA1

                                          83727fe7c2baf8fcefc049882b139d7a8475be48

                                          SHA256

                                          39fa1304f3a1acefcebe144bfa2483ba1f9756f42de202e66f6923f94544984e

                                          SHA512

                                          2d94a2b195f2cbc78d57663217c541f3cbfb666d92753bc59e1aef8744f9bc6f5455a9172cf7d0041f2dc97cd323450a8baaed13d0b1dbcc7c640f017567c559

                                        • C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

                                          Filesize

                                          213B

                                          MD5

                                          93db534d03cb27a9258928560f00f109

                                          SHA1

                                          d618a813f7ea63c632c1eb841465cc6b63320467

                                          SHA256

                                          ff2d6304bc693129e155c8a8a192e400acc4c07cf409d1e8937a70bc3b2009c0

                                          SHA512

                                          fad5e8aa5eb00631044024e560a7607763b345d0bc0fc714b8833d9327112095c6d11c78bd950218685778b610af303592764a54f2d21e186f1fdb3a3565fcc9

                                        • C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

                                          Filesize

                                          213B

                                          MD5

                                          507afb8e99cf311b250126e594c0af6f

                                          SHA1

                                          89e6e82b3b8853a2a518a4b06e9044a134874748

                                          SHA256

                                          b1a8fb55fbfec7316f2086cc0aaa4e375d9823c9d187f0b812f77861bcfb3461

                                          SHA512

                                          5f8202f86bf01a5cc3ea574c898342b26938d77ea0d4c8ac0c38a1d2e2b39dcbeaa0ddb1be7dadd55f642ac101ef9772377169c673fc0f9aa3ebb8b240671fe4

                                        • C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

                                          Filesize

                                          213B

                                          MD5

                                          27d4f0b556b4f5a0a4d007f48400ed88

                                          SHA1

                                          ee548e96bd392b1bffdd0e0cf2b591bc9f6cdee9

                                          SHA256

                                          c2e8db12f2e1336b23e92b1950559003a5a634ab0f782a2461925ea0f58e8a33

                                          SHA512

                                          e9c3430e155e0057b2fe1c504c823d7925da80174a6a65ef6403ed056ad7371c74ca99a4d63bdceb3a4526de62287c4e79e0489492323cbd37b2439fd6f674f1

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          49c2214556110479d1dcf81820224ac0

                                          SHA1

                                          630eb171e01fdb39a9bd6f117fe09743c5a560de

                                          SHA256

                                          aaf595faa83a9e3b5f2b0de398a9c4a061000e00ea872ce8ea0458458cabf02e

                                          SHA512

                                          4dc4abf339a149cb94b10a88f5eff1195c4d4aa98b7a7447aa6efae1fcc9427bbe1bac6bb1aab58013f14ea9fd1a9e199fefdb782e9e9eb2b2ed1fbc0fa872b1

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/1316-87-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1316-88-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2128-683-0x0000000000330000-0x0000000000440000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2184-326-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2284-743-0x0000000000F00000-0x0000000001010000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2388-51-0x000000001B700000-0x000000001B9E2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2388-56-0x0000000001F70000-0x0000000001F78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2508-71-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2672-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2672-16-0x00000000009A0000-0x00000000009AC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2672-15-0x0000000000990000-0x000000000099C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2672-14-0x0000000000980000-0x0000000000992000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2672-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2748-206-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2832-266-0x0000000000150000-0x0000000000162000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2908-387-0x0000000000440000-0x0000000000452000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2908-386-0x0000000000D50000-0x0000000000E60000-memory.dmp

                                          Filesize

                                          1.1MB