Overview

overview

10

Static

static

10

JaffaCakes...74.exe

windows7-x64

10

JaffaCakes...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1f335df25c042d5bac5a4a60c46bb5a22444e2f9928530b4e1d0fe64942a2f74.exe

  • Size

    1.3MB

  • MD5

    f48774cbdaaf07d114dd701cc45f2696

  • SHA1

    130eb577f25ef402398fca11626f86e008e9cd2d

  • SHA256

    1f335df25c042d5bac5a4a60c46bb5a22444e2f9928530b4e1d0fe64942a2f74

  • SHA512

    3d267448b058ccb9ad92940995ecca86e0e39be963ba02622f08008d19197db67b5a673d053109ca0696c4484d77703e51beaee594bed0e28dbf084f925ab671

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f335df25c042d5bac5a4a60c46bb5a22444e2f9928530b4e1d0fe64942a2f74.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f335df25c042d5bac5a4a60c46bb5a22444e2f9928530b4e1d0fe64942a2f74.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1856
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2112
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2244
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2428
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1800
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:740
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2612
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2092
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2932
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2896
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2936
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1504
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\smss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2576
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1712
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\audiodg.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2852
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3048
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2828
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1048
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1936
            • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
              "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1228
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2384
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:2968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\ja-JP\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Setup\State\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2460
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Installer\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\schtasks.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f
    1⤵
    • Scheduled Task/Job: Scheduled Task
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
    1⤵
      PID:344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
      1⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
      1⤵
        PID:320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\24dbde2999530e
        Filesize

        858B

        MD5

        935e2cf929ecad2df45394a437b2324d

        SHA1

        7bf92999a13bbc25c52105d78a6e4c12fc80e89d

        SHA256

        56561b80c07bb6922533fcce1e96f38ae212f6603edb6bd1c21a0b9bf9e7731a

        SHA512

        33d9f28639dfb13ea66e4510e2786e63c698c756b72a790daf507e7b32afb0f6d1fc1e77e0c0496abe011a92e5da91f389d12925bdb87bb32dcaba02fe515a4b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        a6128c2adb96ac2be47b440ce12e1db0

        SHA1

        d11a9a859dd8783528cad71f486353b98615eb59

        SHA256

        d8943dac41680e845d969549301fca48973738d19e598c67bcdc718f6b7a7ffc

        SHA512

        80a3d745f199c212ede1c14c7bc4438610536f73ee7cfed5ec2f678d7bf569719b657a9477b971d1877636c93983970aea9f3b3fc863d8cec6d6e14213190b1b

        Download Submit

      • C:\providercommon\1zu9dW.bat
        Filesize

        36B

        MD5

        6783c3ee07c7d151ceac57f1f9c8bed7

        SHA1

        17468f98f95bf504cc1f83c49e49a78526b3ea03

        SHA256

        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

        SHA512

        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

        Download Submit

      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
        Filesize

        197B

        MD5

        8088241160261560a02c84025d107592

        SHA1

        083121f7027557570994c9fc211df61730455bb5

        SHA256

        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

        SHA512

        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

        Download Submit

      • \providercommon\DllCommonsvc.exe
        Filesize

        1.0MB

        MD5

        bd31e94b4143c4ce49c17d3af46bcad0

        SHA1

        f8c51ff3ff909531d9469d4ba1bbabae101853ff

        SHA256

        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

        SHA512

        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

        Download Submit

      • memory/1244-193-0x0000000001010000-0x0000000001120000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2112-170-0x0000000001310000-0x0000000001420000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2152-54-0x0000000002790000-0x0000000002798000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2520-47-0x000000001B600000-0x000000001B8E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2632-13-0x0000000000B20000-0x0000000000C30000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2632-17-0x0000000000480000-0x000000000048C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2632-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2632-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2632-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

        Filesize

        72KB

        Download