Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:41

General

  • Target

    JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe

  • Size

    1.3MB

  • MD5

    70699415fbf2bae7812609534d511320

  • SHA1

    2c3258cc81f72281346d98c4fc7f2ecf9126b04b

  • SHA256

    233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a

  • SHA512

    ef4d4e77895eec4a0157dccc9a433e05f4fb12f61e94a0373ebaafd95c5b02f0dd7a7ec59599a22b39c3ccd44706f079a93050559573efc887e935edf76b5fe0

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_233d602c2bb0aa039274d6901238323836ff9194fa38765b7a0fb4d0495a380a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbUpz34cjT.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1112
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:492
              • C:\MSOCache\All Users\wininit.exe
                "C:\MSOCache\All Users\wininit.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2104
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1948
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2156
                    • C:\MSOCache\All Users\wininit.exe
                      "C:\MSOCache\All Users\wininit.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2808
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:744
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2876
                          • C:\MSOCache\All Users\wininit.exe
                            "C:\MSOCache\All Users\wininit.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2640
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
                              11⤵
                                PID:2452
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:1424
                                  • C:\MSOCache\All Users\wininit.exe
                                    "C:\MSOCache\All Users\wininit.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    PID:492
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
                                      13⤵
                                        PID:1372
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:1144
                                          • C:\MSOCache\All Users\wininit.exe
                                            "C:\MSOCache\All Users\wininit.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1592
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
                                              15⤵
                                                PID:1700
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2816
                                                  • C:\MSOCache\All Users\wininit.exe
                                                    "C:\MSOCache\All Users\wininit.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2704
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
                                                      17⤵
                                                        PID:2420
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1728
                                                          • C:\MSOCache\All Users\wininit.exe
                                                            "C:\MSOCache\All Users\wininit.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1836
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
                                                              19⤵
                                                                PID:2112
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:916
                                                                  • C:\MSOCache\All Users\wininit.exe
                                                                    "C:\MSOCache\All Users\wininit.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2724
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
                                                                      21⤵
                                                                        PID:1996
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2156
                                                                          • C:\MSOCache\All Users\wininit.exe
                                                                            "C:\MSOCache\All Users\wininit.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1760
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2780
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2856
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3040
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2712
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2836
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2696
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\conhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2524
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2492
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2508
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\audiodg.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2980
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1612
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1432
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:752
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2764
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1956
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1028
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1952
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:820
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\DllCommonsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1140
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\DllCommonsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1740
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\DllCommonsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3044
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3048
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2260
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2632
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2760
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1876
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:580

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9a5ec167827f4eef604bc3e6bfd7f03d

                                        SHA1

                                        327a41e05c771c7fea07645eabb2aa6052d4a0a0

                                        SHA256

                                        a8e48a7e068f93e1282ea2a75b5a440865bf446ba8de15ea3d7ca86219b8fca9

                                        SHA512

                                        671bd491070043a4008bfaad140875b8b6abc5407f3760a2fa14ee45f8d0e12a933b5cddfc6259dcc3a06a5e87982655a570789a7a167b8d4a90d091a7cac9a2

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        dac806a8d6588f5301feb5f784d20035

                                        SHA1

                                        c3fc23544cb71de09b609036e9888aa4015e9be1

                                        SHA256

                                        dfcf8fb48d7b4ac743013c4930fd1125548284acf581a5577ebb3fd46fcfb305

                                        SHA512

                                        e1c39aba64300017bd4d6ce974f8c995c6c48a72cb3594e08c4e8e86c3962806b81a1badb2a10c489e3250a955ade11719c2ee20d4c2862d0b2b5f43173c6add

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        4dd74bd643469b48d53b8603da3aa4a4

                                        SHA1

                                        62a9826eb8a3f27cc82a0766c5b358bed15f0e97

                                        SHA256

                                        bd70c791ccc8767135fe1b87bd75a1ae6116af99ba7bb57f3569e0cc98a3a44c

                                        SHA512

                                        1c88d2f078ce7cd203de728e03bff9cdc6f988f56b3c5db7169e163b468c312a1b54eea6c1374aa606d96c375a52be5c95210bc41a56a18e156c27fe4138c8ef

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        358a6eb97ae440374325121230418dde

                                        SHA1

                                        306c4025c363b35b9f632f1b774ea8d5c613ca3b

                                        SHA256

                                        32e0b86878a7f4f8734de2a081817954b61abb47da1f856a5a681faa3741533a

                                        SHA512

                                        77fe88aa982c0feb15279b192f75ba0882341e7cd259b760e555fa9962ee9518498e8873c0fc42a80cca480ad099f634fc918eedee7540f491124abe3797f2a5

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        47d6d69d57d49771055f476715da6d79

                                        SHA1

                                        46707e479760c53cc7ee8788e077f94dfca98bae

                                        SHA256

                                        c22eab2f13d426916debbb71db252ba3243d7b3ddd80d224875b63f8a78ea817

                                        SHA512

                                        2ee7d20da5218817e1b24a5e34d5cbb2792f0035bf6631891d71b513534c96dd3b1c3ecb49d496020a84b56cfe20658ad1d2350b24eb075859ba64f685aada9a

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9ccba01ca69caaae6050efa8afb67a6c

                                        SHA1

                                        89d4b91e0597db358c95c8c72e17c2aad3b91f5f

                                        SHA256

                                        ff93e357dfbbeca4de6dd4ab9453f35f1db0e115d6022fa03a08a57f904707c7

                                        SHA512

                                        4ad1cb34928a6489e8ba2d3b6d75b840b538955a86b4553df71f8ade20b5e63ca69fb7b902b13b4b785064870e11e4e870d666ded80653d3d091c054f0081e1c

                                      • C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

                                        Filesize

                                        198B

                                        MD5

                                        d70c8a604a2bdae6dbaf873edddd6f7c

                                        SHA1

                                        875bd74cf9baf6665f8f10f4558791e893e84dc8

                                        SHA256

                                        c617447157d215a94501226dd2d75f980ae0939189f01fe9e7182ebe819cf321

                                        SHA512

                                        5315aca98558f2c391a843d93cc2fae06b0f9e4c5c82d5b29d28f9431e6c65b4fd2fe9ec2e7c74c666a53afcd46b46171de6ad652b8aa0a787410735f6757286

                                      • C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

                                        Filesize

                                        198B

                                        MD5

                                        e075f9722db5606f6db4dfc629094eec

                                        SHA1

                                        53938c2f5618ae37b0570c7b536f5c3328a2e9ea

                                        SHA256

                                        1aebd063c39ecd46bcb4acc47762fef0ae32a4bba13e4d2e61d3dbba7ebb6212

                                        SHA512

                                        89a3132f63d1ddbde6d3d85844f174f599b4936cc3edcb50dcf28e64557057892cc1a95f4a3e4b78156bb7216f577841baedcfda503643074e01e600e09fbf7b

                                      • C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

                                        Filesize

                                        198B

                                        MD5

                                        5a8c34c7e788586cdaf59f47307d4cf5

                                        SHA1

                                        52fa33810d5cac0d742738fa68998cac5189a35e

                                        SHA256

                                        8d363d494f030519978aa6fe909ebc4ced7b39f5bf1168872d9921ff59e421fe

                                        SHA512

                                        1395e6bb8b89a5e203c55ddda8669b52c8b64e6c5f89e6a12da2649761d0d5fd3a1129208a914fa24e253eb3dde7010d81ee5ab6b94d4a3ef0f995a5a3cf717a

                                      • C:\Users\Admin\AppData\Local\Temp\CabE16.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

                                        Filesize

                                        198B

                                        MD5

                                        ef148d04b04847f53f804e6d7b16b5aa

                                        SHA1

                                        f1931313604d3764d0c13914d4b73a13300054e9

                                        SHA256

                                        7bfe6e268e4e6cdf42170d5cbd6e99b40fe219aaf741588ce6f45d9fefdca81d

                                        SHA512

                                        02cef5e6a921cb0c04ca99dd38a18039139648c782d6b3b80d7b24e4ff739aa0ee9233a68ea02ed6186fbcb7ccf1a111215f136a455e7ab1161e751ae761f127

                                      • C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

                                        Filesize

                                        198B

                                        MD5

                                        1c6834fa1c99aa52b0364805be3fb87e

                                        SHA1

                                        264a252a0bbde118f5500c133693601f64c9cc9d

                                        SHA256

                                        08beeec6897fe0d411c502207477c08c0d0f0eda086a7404af36d0585c63f812

                                        SHA512

                                        e6cb757361809dba3ecc688e9ef8b6d16de68d2f838d99bc07a353518981d9e53036520e5de12923dd0b5959e2f40805d9cb2d63fabaf2c2cad09f58a6c24d0c

                                      • C:\Users\Admin\AppData\Local\Temp\TarE39.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

                                        Filesize

                                        198B

                                        MD5

                                        95a13a74475b6fe94e06b69e07664c76

                                        SHA1

                                        fae7f2d0b166a7da8435072e247b1658fd2331fd

                                        SHA256

                                        170d0f52b93b24508e8612437e9c46ef08ba488ed8e97a2f2128b3dab488742e

                                        SHA512

                                        f02604c5d737ef1b71a97ea6d230a243dd1c765aeda5efef1ce75534318df081d1e8c142975aa254d4d5a2118c5a2dc38e101d92b20617c758f277635a388656

                                      • C:\Users\Admin\AppData\Local\Temp\bbUpz34cjT.bat

                                        Filesize

                                        198B

                                        MD5

                                        441e2d1d650a6fdc2bc4bf9a48c17f3f

                                        SHA1

                                        0e63c9b5cd8dedb0e6e805e1340e37a531061e80

                                        SHA256

                                        0ec5227fdc9794bcf07f274037f73b54bef2a5de5a506172279179f66859330e

                                        SHA512

                                        0ea31dcd6e48032a3471ee95e90389872e81b79b98d78e7b51bba830282385cec94bd37f64d60f11620455fd78534c7ae89e451c30d156851cdb557b3bb1ec36

                                      • C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

                                        Filesize

                                        198B

                                        MD5

                                        d87bca573f564f28a1f51be4131ed19e

                                        SHA1

                                        59eb30f48f91595510a53ff952af5e420c603bbc

                                        SHA256

                                        6ed073234a051212e5a537fba2379882f7a3396e655b2e253557702ca42a846a

                                        SHA512

                                        5848f75646e4b8268162a76dd3df600e897a3707de9fa74e46708cdb860228ababa4e005dd83e355b2ba24d3a982e7d94696994b88e72c753186e57f52009f03

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        29fb4af2eb4ba06cb17ea480eed428a7

                                        SHA1

                                        4d9064236ef449358b86f6b4edf2f7b24c047037

                                        SHA256

                                        457fc0d8e4c4149f3b8f0ee0702a94b95ce8d21d6f34d0c92577465ab10e0411

                                        SHA512

                                        8bdbafc21e9b8e8c5bd1d9202688c6101dfaf90c04224ae3f959969f0bdc87b972fb21ffaf87e9467d1fd9862c0e2d49e1496c9d9793cc5bee1d96dcf3bf41bb

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/1072-53-0x000000001B570000-0x000000001B852000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/1592-275-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1592-276-0x0000000000150000-0x0000000000162000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1760-516-0x0000000001030000-0x0000000001140000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1824-58-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/1836-396-0x0000000000990000-0x0000000000AA0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2104-93-0x0000000000260000-0x0000000000370000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2640-212-0x0000000001380000-0x0000000001490000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2704-336-0x00000000000C0000-0x00000000001D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2724-456-0x0000000000CF0000-0x0000000000E00000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2808-152-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2848-15-0x0000000000550000-0x000000000055C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2848-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2848-13-0x0000000000130000-0x0000000000240000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2848-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2848-17-0x0000000000670000-0x000000000067C000-memory.dmp

                                        Filesize

                                        48KB