Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:42

General

  • Target

    JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe

  • Size

    1.3MB

  • MD5

    5bfc410c52b9a8e9586447e35a2e0571

  • SHA1

    36439d929ecb0cc75393a0137bfc9bd9bcac10ce

  • SHA256

    6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7

  • SHA512

    32beff4980735ad8cff05f804f4242df20e14adaa13f3a897114ec87f819b5ab7d54d28a5683e14558d4c0569b1d0d7a89ba8b465a5bac9852cf205e4a3ecc21

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\sysmon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9hYFnRH7ET.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1412
              • C:\providercommon\RuntimeBroker.exe
                "C:\providercommon\RuntimeBroker.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3348
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1160
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1932
                    • C:\providercommon\RuntimeBroker.exe
                      "C:\providercommon\RuntimeBroker.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4588
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3052
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:628
                          • C:\providercommon\RuntimeBroker.exe
                            "C:\providercommon\RuntimeBroker.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4384
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1292
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4664
                                • C:\providercommon\RuntimeBroker.exe
                                  "C:\providercommon\RuntimeBroker.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4108
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4736
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:3676
                                      • C:\providercommon\RuntimeBroker.exe
                                        "C:\providercommon\RuntimeBroker.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        PID:1060
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:3280
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:1092
                                            • C:\providercommon\RuntimeBroker.exe
                                              "C:\providercommon\RuntimeBroker.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:3284
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:4876
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:1216
                                                  • C:\providercommon\RuntimeBroker.exe
                                                    "C:\providercommon\RuntimeBroker.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:872
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
                                                      19⤵
                                                        PID:1492
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          20⤵
                                                            PID:4380
                                                          • C:\providercommon\RuntimeBroker.exe
                                                            "C:\providercommon\RuntimeBroker.exe"
                                                            20⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2576
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
                                                              21⤵
                                                                PID:1416
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  22⤵
                                                                    PID:1456
                                                                  • C:\providercommon\RuntimeBroker.exe
                                                                    "C:\providercommon\RuntimeBroker.exe"
                                                                    22⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:372
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
                                                                      23⤵
                                                                        PID:2356
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          24⤵
                                                                            PID:2968
                                                                          • C:\providercommon\RuntimeBroker.exe
                                                                            "C:\providercommon\RuntimeBroker.exe"
                                                                            24⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1596
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
                                                                              25⤵
                                                                                PID:1284
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  26⤵
                                                                                    PID:2540
                                                                                  • C:\providercommon\RuntimeBroker.exe
                                                                                    "C:\providercommon\RuntimeBroker.exe"
                                                                                    26⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4868
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
                                                                                      27⤵
                                                                                        PID:3240
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          28⤵
                                                                                            PID:1496
                                                                                          • C:\providercommon\RuntimeBroker.exe
                                                                                            "C:\providercommon\RuntimeBroker.exe"
                                                                                            28⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:1060
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                                                                                              29⤵
                                                                                                PID:4372
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  30⤵
                                                                                                    PID:864
                                                                                                  • C:\providercommon\RuntimeBroker.exe
                                                                                                    "C:\providercommon\RuntimeBroker.exe"
                                                                                                    30⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:4160
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
                                                                                                      31⤵
                                                                                                        PID:1564
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          32⤵
                                                                                                            PID:3916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4232
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1492
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4388
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4976
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3120
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1712
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4156

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                    SHA1

                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                    SHA256

                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                    SHA512

                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    cadef9abd087803c630df65264a6c81c

                                                    SHA1

                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                    SHA256

                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                    SHA512

                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Filesize

                                                    944B

                                                    MD5

                                                    bd5940f08d0be56e65e5f2aaf47c538e

                                                    SHA1

                                                    d7e31b87866e5e383ab5499da64aba50f03e8443

                                                    SHA256

                                                    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                    SHA512

                                                    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                  • C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    f00b33f15947c360501e1fed79cf5492

                                                    SHA1

                                                    024513660b53a36ad0709d3f5f83a651364ce33d

                                                    SHA256

                                                    ab39a13831e324874b5b634a47c989a97e3b582a2fef26ab2bb1d3d1ec5168dc

                                                    SHA512

                                                    56d28d39a4e64cb156ce98499ec0d087c3e0a8bb9f5a05c83f1c1ec3f48b5b1e44f5a3f8a75712cb664ceb1fa99a6ae20e12019580598035d4d6124470aaf93b

                                                  • C:\Users\Admin\AppData\Local\Temp\9hYFnRH7ET.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    4abcc3207ece2e444a4f9dca90244e4a

                                                    SHA1

                                                    c3cc327223bd107a48175c09f1b7c7f1e30de241

                                                    SHA256

                                                    90acb3e0a02ecdce0c4e89fe286a82c692b0717b4242bc417dbeb8b61ad74654

                                                    SHA512

                                                    72c8b6606c191303276ac789c6a2f77e0d9cea60f5411f8e74f94d539a9b72efc3d9f940d3816f01b27f4dacf799b6aa0f35b45feeb1d0832d0f629ecfa9f707

                                                  • C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    c9168bbade509fd6a19710fc148f14ba

                                                    SHA1

                                                    8e55947a9f713409d938a32560f1b1b35577c47f

                                                    SHA256

                                                    b36f0eb615be2665e2c6d4c8f8b5efdfe1ad15a4746d93836e4c22cafe42f81c

                                                    SHA512

                                                    50316b47e5c25ee069b99ca2e4a766af661c66e59c52f5dec19492c597264a5032462e85101972a25bff405da3411753d42eec7cad890fc4356199a3df815769

                                                  • C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    6de785efd6526da38d37f14fb9fe8fc3

                                                    SHA1

                                                    633478ac62af0aa79186eab697dfb2e1ebf8a056

                                                    SHA256

                                                    a8d873051c2fb2e1213b0260253ccaf9aec98188b3d919245f45f91368424a2f

                                                    SHA512

                                                    3e7209e800865012aeca9cbd891cbbafd9a31b3e6657392fff4e22321c6970d9bfa3d9aaafc5b11244f80ca3e8e5499c61643ad8fcd3e8e38ade355d9538fc72

                                                  • C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    1851078bfa9dba17e007c17616f38f1f

                                                    SHA1

                                                    10d3b22308a260c5d4efbf00a34bd8cfd0d936f5

                                                    SHA256

                                                    fc42beab32b713b775149f10ff9af3bab6cb785baca92262e627e8140f22b9aa

                                                    SHA512

                                                    29ccbd4ec01fcc5ddc278cfa4aee3887beff21ab1507b1bc712495653631820f8c0a86fe21a0f10cb1b7245cbf6656cc22da9b94fb5c9417df808fba238d3587

                                                  • C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    d62a8047dba663760da05c75f2ed9aaa

                                                    SHA1

                                                    3cf3a95d4d1a5341d45a6f9fc66a8e6d6d586e3e

                                                    SHA256

                                                    da3d1634e149238512f59cf963b2c6dc0bf426a68166ce32c98ac6f37f70a970

                                                    SHA512

                                                    fd34ed87e77d66d3d993fd7e30c22e7471f3b6f5cf072aef32db60d58df0dcf5a9bff3ac3f6133c81fc796bd2e6e24e9184d596fe4ab7e8dbfcb1bd2e7515d60

                                                  • C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    64cb1144350fff78f51748d057c5fccc

                                                    SHA1

                                                    cdf2ed3f4896d7f4359116a6ee6279b5a915ade5

                                                    SHA256

                                                    bcd0dd9f6e45ac907fc4eea9f3ba8906f18171cbc842ff5ab6e56d3466411061

                                                    SHA512

                                                    d7157e6d6706eaa5f265a0c60028a9909376d621f8e53e34851f5e7485db3c6d9514f866ddab0ce475d36a8558183b81ea434f8b625626acb9a1930de6dc57db

                                                  • C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    1722b4980e5e881c52bbfffa0675acfe

                                                    SHA1

                                                    115e181ac96590a6c8f589c347b76a3ed1bf7942

                                                    SHA256

                                                    bf31f4a3a8a73e2d58a90b0ad2250b41757e161e8d78d023910870c4c6d967ce

                                                    SHA512

                                                    f0c97a7bbd4d2fef5223b4152f5b6cc0f8345e6151c5c4a1e6f892655cbd30e72cfb0c964dbb005684661b3737cc584b0898fb3994c3cc5d32de9e2e55dc24e9

                                                  • C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    d86760c2f21e55c8abd49e62281284ad

                                                    SHA1

                                                    af3806e007cc600e8619bf531dbb0186820b6b8b

                                                    SHA256

                                                    2560627667e5d47e9a371246045758fcb161d0e3644d7f46e0f33546d17747d0

                                                    SHA512

                                                    7e33c030608ccbba24f011c2e1352a43a379bb72756b9fb2e93514bd22aff76906c8d4ae426c0df3c48bc61bb4946270abc88a850315adc4cb332ff22ede500c

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pluqywwn.wrr.ps1

                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  • C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    08852af7340772f11e8a5965fe428854

                                                    SHA1

                                                    fd7bfe34f13b68757c58bba735b512a4f3f9e3f8

                                                    SHA256

                                                    7eb4d12e359e924bac718f69d14b4f9bea1cd1eb59038b14b450e0b53bcdc237

                                                    SHA512

                                                    6cd7145ee519196074a663c072770ea82346d0e6422defac3974b19e3166f69c4863f000be36c242161313ff3a117eb08ccbbbf756d64e86624c2101d2a9e0e8

                                                  • C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    dfcffd74446ba4c141145e64c2ad2540

                                                    SHA1

                                                    a90214ceb5266c00ce616d6d821c17773015db7c

                                                    SHA256

                                                    f14dcbb52d161200456ce21e649a55f362ed1727fbbe046b4c96283fde5acc86

                                                    SHA512

                                                    df838dce46033ed78c6efaaca324d734851b948631d92609828a3d138f2493c3306b313a99f8a21ca0caa8a7f5cff6b3482aa4b53f455f25650f6c195d14327f

                                                  • C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

                                                    Filesize

                                                    200B

                                                    MD5

                                                    aef01560c9a461ace84754307ef0804f

                                                    SHA1

                                                    079a514af6a279328cde26b06876fc977449cbfd

                                                    SHA256

                                                    8178cf23d189580f07f73a42ca0d98120c58f2f0598c6f705fa8c6124a09d17e

                                                    SHA512

                                                    9c6e569332311bf024f665debd3b589fefeb65e45ed109bf162cfaa4dfda60d77cde57cc0b14e4658c92ea1bb0c43d440c59e947b342435cdc35d37db0ec6080

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • memory/2544-12-0x00007FFEF6E33000-0x00007FFEF6E35000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2544-17-0x0000000002E90000-0x0000000002E9C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2544-16-0x0000000002E80000-0x0000000002E8C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2544-15-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2544-14-0x0000000001520000-0x0000000001532000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2544-13-0x0000000000A40000-0x0000000000B50000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3284-150-0x000000001CB00000-0x000000001CC02000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                  • memory/3348-116-0x000000001D300000-0x000000001D312000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/4108-142-0x000000001D000000-0x000000001D102000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                  • memory/4384-135-0x000000001CA00000-0x000000001CB02000-memory.dmp

                                                    Filesize

                                                    1.0MB

                                                  • memory/4868-177-0x000000001BDF0000-0x000000001BE02000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/4956-43-0x00000275FDAC0000-0x00000275FDAE2000-memory.dmp

                                                    Filesize

                                                    136KB