Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:39

General

  • Target

    JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe

  • Size

    1.3MB

  • MD5

    a37c7bb0f9b5bbd814388bc40cd5d638

  • SHA1

    821717ebf915edd7c627dbe52b8e1fd18e76d482

  • SHA256

    d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad

  • SHA512

    bac98a4ab9d84e2568f549df981a2a25713f141fd7eedf8c0562e763a25f70ab6702ff2e0ec5b06faf09aafd4aeed37fb461dca2a3ae1ca6b84d12b28690641c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\DeviceSync\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iJNUp7u3xl.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2268
              • C:\Windows\Migration\csrss.exe
                "C:\Windows\Migration\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2372
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1200
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:836
                    • C:\Windows\Migration\csrss.exe
                      "C:\Windows\Migration\csrss.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2236
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
                        9⤵
                          PID:2816
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:3060
                            • C:\Windows\Migration\csrss.exe
                              "C:\Windows\Migration\csrss.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2328
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
                                11⤵
                                  PID:2272
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2944
                                    • C:\Windows\Migration\csrss.exe
                                      "C:\Windows\Migration\csrss.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1572
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
                                        13⤵
                                          PID:112
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2708
                                            • C:\Windows\Migration\csrss.exe
                                              "C:\Windows\Migration\csrss.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2656
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"
                                                15⤵
                                                  PID:1656
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2236
                                                    • C:\Windows\Migration\csrss.exe
                                                      "C:\Windows\Migration\csrss.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3060
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
                                                        17⤵
                                                          PID:2856
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2328
                                                            • C:\Windows\Migration\csrss.exe
                                                              "C:\Windows\Migration\csrss.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2392
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
                                                                19⤵
                                                                  PID:1192
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2600
                                                                    • C:\Windows\Migration\csrss.exe
                                                                      "C:\Windows\Migration\csrss.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1148
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
                                                                        21⤵
                                                                          PID:3008
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1880
                                                                            • C:\Windows\Migration\csrss.exe
                                                                              "C:\Windows\Migration\csrss.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\DeviceSync\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1264
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DeviceSync\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2764
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\DeviceSync\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2700
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1904
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2680
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2740
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2120
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1960
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2660
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3016
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2644
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1456
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1504
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1888
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2368
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1128
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2996
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1484
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1992
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2984
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2940
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2636
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2420
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1696
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:112
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1344
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1928
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:396
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2124
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1160
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1516
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1324
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1828
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\wininit.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1732
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1184
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1192

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c30e1fbb58a5c02e792ff4d3e231f77e

                                          SHA1

                                          66696eb9cbbcaad4797462ba2ee91e62f64f7f45

                                          SHA256

                                          1c7d0b717e6e80617b4053f9e9bf7f9b77c7a1208b4bdedfcfa6e6f18c4a7ae8

                                          SHA512

                                          6d92012d83a3f4e4930172ac9ffddd7957c61d2f07f910a66c313b5978ed0bbea3c0148f7b4f3265561c0f37e7b8178b903182543fd75cb25cec1d88805f8110

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b2f4749fe1ce2469070ded98772fa84a

                                          SHA1

                                          fec7bbb0a002abad5cdf85b3d3ee698b5834bd6e

                                          SHA256

                                          a48e7aa29dc90482d18da595181026e14c4497a7f97bb65c6856323a8dd89415

                                          SHA512

                                          d696aa5af578d3dac4fa8d350103e8fd2d77d666f6ee3b5c8f17f637aadbb05d29e7222108f3d30ad75a1fa7f385a8c036928734d4d85d4f361695c3110ffa04

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          fdf6da1e457b7024941371a4b764e7db

                                          SHA1

                                          1d5aa0e5c57dafe91796ce29984e0ee551d37dad

                                          SHA256

                                          dab4ca9699b72c92ea4fcad8526a85752207df59f25fe6170eb360da554bd05f

                                          SHA512

                                          a18fd49b2381d1953127ebbb5131d8078d4a9a6b1ee5b0dbdbd8d0d54007a8a496e2f19290aff7a9b93d9150906510af6a8e0a14418a933ab81ec808b265fb05

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          a5e0feb077b89ea86c36c7e2128f46f9

                                          SHA1

                                          713ae0120f51cca87939acd098e3cfc743568765

                                          SHA256

                                          33d15855e9d1b6735bba7c0387d83f7f47e5a0fb9876836a993be04cb62847a3

                                          SHA512

                                          16c25c85cf743b239f71946798e6c445bc5528ffc8b54cfcaf4f11ae65b8e0122a0b8605faf22075abf35a034d44da547d5388573ab64419191b5b703e4c41d3

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8a2eb403712e4ac143d2ce899db1373b

                                          SHA1

                                          99eced3506df3aa90b7159d9aaff5e5fc56e7c6e

                                          SHA256

                                          9ffdf7be34faa5adb18576bf2ef839328e9e6d861657461de46e996176bd2da4

                                          SHA512

                                          ac0ee3dc15e1840de87cc2633e3e86719c14e9daf803401bbcc8c85443ebde4c224f5a650e7f286ab57c7234f1569a6d68710f373018c6e770caf8631c0f09ac

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          05a6a9e93b95914a7112058951694f67

                                          SHA1

                                          5624f64ebea584b376aa5cb397fa77da62a149b9

                                          SHA256

                                          69b327893f01654f03fb3eca66dea231dfe54f1fe075d48ce5467c90b44983be

                                          SHA512

                                          54ad518fbb4eed652f6babedfa878e41e2e43bdb281c81fc99d504be73c5264edb37abb9256395eac1f64ad9834390b64f93825c78667664707112ce5abad72f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          af3d46d39d5fe9500693a27f806bb912

                                          SHA1

                                          e1849cf1accedc715280fdbab296c5a96b89e1b7

                                          SHA256

                                          b92c81b5a2d671ce082e18a9c7a8e77fcc04af4a5828cf48f94eeb2e88e23570

                                          SHA512

                                          ff73d0e0cf33d8867cd2a35835ca7a61d986c1307f66194b2ffc66cb9f595b3b52dbc236685d4b62ab791545559429f8253bb060087b435eac487759638ea8ee

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          87a439c9019563ff80bcf7000c0f748a

                                          SHA1

                                          c8f01a69f5f87b69830e729d5f036d19681dcda6

                                          SHA256

                                          8f2045da76d09666f74dc193e16c06afe0b38b4f5582542777c677c09d4653eb

                                          SHA512

                                          be47cb6a0062c18405e2a098e2ff3d1f7156d5cf3637c99161e22d0bcc36f6f5ee9ee7030c7f85ad3a4fddde2d10d687fc34eac4ed447018236963529fdd8c23

                                        • C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

                                          Filesize

                                          195B

                                          MD5

                                          0d71384cd7511bf395d45a3232af2b34

                                          SHA1

                                          e6c71b697287603530958ef3431ecc680a1c849b

                                          SHA256

                                          112036b829c964da6a05d07f13a966259278d7f7d4430f2b23646d9ed1aae730

                                          SHA512

                                          8c6afd72fee86e34da82e174124ff885f601726932fc6efe90956de63c3ea1ab9e53accb6af437f1ad35c1f012b3082d00d45d7d31bfba31aa7499746c097acf

                                        • C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

                                          Filesize

                                          195B

                                          MD5

                                          b9053496ef665e43cd82a094d8b639b4

                                          SHA1

                                          3ab3bca3f46b12daf7d9944ced49b03a98f86cc6

                                          SHA256

                                          c5ab9b37db763f64862defce5171775a9f077622e6ea5fb0f744e73b6d2ea191

                                          SHA512

                                          a7b690be54045498ce5db473860c6002aad01507ae217d1400540052714c31dce116384fe15e783e1c0ad8e3e711c24522c394789386cb9294e36a6a006fc110

                                        • C:\Users\Admin\AppData\Local\Temp\Cab3F72.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\Tar4002.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

                                          Filesize

                                          195B

                                          MD5

                                          cb4984aaac58ebaf45c04090349f3f56

                                          SHA1

                                          db30de851faf5ccf7ea64cc0715f5779f8c5bcb5

                                          SHA256

                                          2dda702ba82b1c7dec93f68afb6749d86eda68a5549afbad9f9ad0fe45bea842

                                          SHA512

                                          533d5fdbeae560f926b62d3e93bda1d260e43d95e06a08cab0cdd852be55421e4ba8483855b5f30a4f4e1b3453f6d0989272231bc000f130028df83503513fb5

                                        • C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

                                          Filesize

                                          195B

                                          MD5

                                          c3b482113c768566df5bddf1d2ca0713

                                          SHA1

                                          320d1ef36b7be1c75a3b77b95fcfa9bf7e0917cb

                                          SHA256

                                          5a9421507d2a3685a755e3a4f9fc1d208e75486b31de6cb5c73344cbb54dcaeb

                                          SHA512

                                          9a102a65e37ba0142a095884c10f4eab2405f1a2848bad780204634f0fceeabd2746950757d8056661f18c36d25c4639fafd9cfda4d8f46aa65bdcee6e93b978

                                        • C:\Users\Admin\AppData\Local\Temp\iJNUp7u3xl.bat

                                          Filesize

                                          195B

                                          MD5

                                          7452468867fce1cdb74ea2fe7fafcf7e

                                          SHA1

                                          c84ef03caf7779c6d381a8e24bfd77ff437879da

                                          SHA256

                                          b16b0fb22ade1e7f35af6106652b35ae4ede882e103a3686c4727c9d6ffcda7e

                                          SHA512

                                          901d90e660f61b7fa02771464b5e2666818e1d6462b9e5e9b224c7e298a7a443144afd71111702a49f5fa6b9cd6241ead0ae8c58370eeeb37967cbfe557ba986

                                        • C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

                                          Filesize

                                          195B

                                          MD5

                                          224d9448c7d88fbbbee3dc620a993cb0

                                          SHA1

                                          b86e53763dc87c8785209e45879b1f2454d76e7b

                                          SHA256

                                          fba16ee76f6bc5608adf04f730bde8bed08e5c89c0bca2d06c41f2b6f890bccb

                                          SHA512

                                          570cf28b26f522053939a23527529c6ae042b378dd189b20c43cb409e0094467faee5066c0709eb4c76a757aa61df8f7d18e18f7d5e0ac06d04a8c785f346ff5

                                        • C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat

                                          Filesize

                                          195B

                                          MD5

                                          eb531ff1e5ff8ba0ed5f87b48ccbd310

                                          SHA1

                                          0b9101a2fe08ccab622060f3c79e789245a9b018

                                          SHA256

                                          0c83646dd76bea80f6a551d8efdd17c4ea4e7bccea94afca43bf4000f4309a82

                                          SHA512

                                          b91bf1d6b947c0a4edb808fa3d4c45c4636d88d3943a2c58b6e81c07e7a2d0dfc75762fdfacdbc817da62cd3ffd66713a7a220cc1aae81df9a2f4f62fc5b8829

                                        • C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

                                          Filesize

                                          195B

                                          MD5

                                          62c8b5bc3d34bcfdc14056bbd58fea45

                                          SHA1

                                          a472afc809917a6b8dc11f493e7765aa27e1a37d

                                          SHA256

                                          34523e97b7bd231a5179ca17fd910ed02ae502f47d3f9a534d93c285d29d48b8

                                          SHA512

                                          b6c997c8507b6a9c632103c083ecdd270e8d065b9cacde333619bb5d8600a545bb6e78d952485f7c2c1ff3bfeb455fc4fa152774d4beba9dcd4e99d64b9884f1

                                        • C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

                                          Filesize

                                          195B

                                          MD5

                                          01334ee135bef98b2df8d22aea4e027d

                                          SHA1

                                          6b7f3f365639c92ee0efe2d49355bde351118386

                                          SHA256

                                          14d8878432a6b8dd1fb7c78fd88faba574c94093712207a5e972956cb9c58f2b

                                          SHA512

                                          6b6d1cb6141b98d990f34057f29f544a67412cb79be34129749c18125f910164767c26e4739823c433e642482168e07b6b4c30c6847a434ece3d8868ed653c1c

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          28daf452c1fbc3b427861b04fa5a91aa

                                          SHA1

                                          7813c15564877d3b8752a57184cf7b4f1bbf785c

                                          SHA256

                                          3db4790af0a5b8e6c7d796ab32830be3ed354212f0ac10d807b405c13e096bd1

                                          SHA512

                                          e58831f6a68fed0167e370c9fea6008c890e95e77534595f773b3d2aff6f5a1bfcb11dcdfed6a88919138e5d5a2daa00b22c6e5359fedf70da5d9f5b174bc808

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/1572-288-0x0000000000A50000-0x0000000000B60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1584-75-0x000000001B190000-0x000000001B472000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2236-168-0x00000000002C0000-0x00000000003D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2320-76-0x0000000002520000-0x0000000002528000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2328-228-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2372-109-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2392-468-0x0000000001200000-0x0000000001310000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2656-348-0x0000000000BF0000-0x0000000000D00000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2768-15-0x0000000000270000-0x000000000027C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2768-14-0x0000000000260000-0x0000000000272000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2768-13-0x0000000000090000-0x00000000001A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2768-16-0x0000000000570000-0x000000000057C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2768-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3060-408-0x0000000000F30000-0x0000000001040000-memory.dmp

                                          Filesize

                                          1.1MB