Overview

overview

10

Static

static

10

JaffaCakes...90.exe

windows7-x64

10

JaffaCakes...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_31a53412e2fc5f0446e175f79050d3c4944a7d5e580b0dc51dfb04e88967cb90.exe

  • Size

    1.3MB

  • MD5

    c5fcb2377e4d82c6318cfabb9afc4609

  • SHA1

    ebe156b50d5e35631bd6737c705f31f8f46682a6

  • SHA256

    31a53412e2fc5f0446e175f79050d3c4944a7d5e580b0dc51dfb04e88967cb90

  • SHA512

    5f8096ea77e52dfde309a75f21efb2cab29ee9a3840d19baff0908159bb3dc54d07cade40cec4f151884558d4e3efb7a778763af5411db46bc33c3fdd8856e88

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a53412e2fc5f0446e175f79050d3c4944a7d5e580b0dc51dfb04e88967cb90.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31a53412e2fc5f0446e175f79050d3c4944a7d5e580b0dc51dfb04e88967cb90.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2944
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2876
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2696
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1680
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\OSPPSVC.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1520
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1992
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:556
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1488
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1164
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1956
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1364
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2504
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3020
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXWnCRnTCI.bat"
              6⤵
                PID:276
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2308
                  • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\schtasks.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\schtasks.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Templates\schtasks.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\powershell.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2828
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\providercommon\powershell.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DXWnCRnTCI.bat
        Filesize

        228B

        MD5

        c2ed9518a3b85bd8fbb814c670cea11e

        SHA1

        5e76ef619968c2711159280175605ac61c8693cf

        SHA256

        b9836f1827b7380ba356e27654033ca75ceec1390947ee902f1f5c2edaf74340

        SHA512

        6e9b56df1bd99753c76ede533b701748f6b5e616bd716526044cadf307641eca2740e248301bd4f701116e7351a3354b2a9d2b8c37a95653218d6d86de3eeee3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        8e902cfaa81703c4dc43b4190069a70a

        SHA1

        7121a854b2ed1dff3533e1a5332fdadac7abe552

        SHA256

        4c5e0c8336d1aeb9a98ccaf771260645bc81d80d6bf2ee04f679276cf0e6bc20

        SHA512

        a7e14c94886451fee2a71977b96f5e093f90d9d47aa2862c8a438b12d38540ef525186b5d192eb5a7a658f51923d29f422cd678d40c7387ff60032085a6d947f

        Download Submit

      • C:\providercommon\1zu9dW.bat
        Filesize

        36B

        MD5

        6783c3ee07c7d151ceac57f1f9c8bed7

        SHA1

        17468f98f95bf504cc1f83c49e49a78526b3ea03

        SHA256

        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

        SHA512

        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

        Download Submit

      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
        Filesize

        197B

        MD5

        8088241160261560a02c84025d107592

        SHA1

        083121f7027557570994c9fc211df61730455bb5

        SHA256

        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

        SHA512

        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

        Download Submit

      • \providercommon\DllCommonsvc.exe
        Filesize

        1.0MB

        MD5

        bd31e94b4143c4ce49c17d3af46bcad0

        SHA1

        f8c51ff3ff909531d9469d4ba1bbabae101853ff

        SHA256

        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

        SHA512

        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

        Download Submit

      • memory/1636-121-0x0000000000240000-0x0000000000350000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1716-54-0x000000001B370000-0x000000001B652000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2560-59-0x0000000002490000-0x0000000002498000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2876-106-0x00000000011C0000-0x00000000012D0000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3060-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3060-17-0x0000000000180000-0x000000000018C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3060-16-0x0000000000170000-0x000000000017C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3060-15-0x0000000000160000-0x000000000016C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3060-14-0x0000000000150000-0x0000000000162000-memory.dmp

        Filesize

        72KB

        Download