Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:55

General

  • Target

    JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe

  • Size

    1.3MB

  • MD5

    bc2b67f63b3b07241fde5db665cd8022

  • SHA1

    9811b6429483dd3e85992a2bc3df2f70c08c112c

  • SHA256

    bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874

  • SHA512

    08928d21f9b71341618240f68b73be07979f4d213db60051a9a40033f04d669c56981e176c6e67e0ce6ef0b42fef110c77033f879976047237f24f15869e6d24

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc9ddc269c43c2f86c1daa880e8dd11d578c49b95557c8b3fa0a95fe963b874.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zm1JPwAIFX.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1532
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2052
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:840
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2344
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2572
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2084
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2632
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2404
                    • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                      "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1788
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:408
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:348
                          • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                            "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1100
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
                              11⤵
                                PID:1776
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:3052
                                  • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                    "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2972
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
                                      13⤵
                                        PID:1844
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:2408
                                          • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                            "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2344
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"
                                              15⤵
                                                PID:1360
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2732
                                                  • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                    "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2696
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
                                                      17⤵
                                                        PID:2000
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:1652
                                                          • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                            "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2736
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
                                                              19⤵
                                                                PID:1508
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:1416
                                                                  • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                                    "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2428
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
                                                                      21⤵
                                                                        PID:2588
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2804
                                                                          • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                                            "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2388
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
                                                                              23⤵
                                                                                PID:788
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:3012
                                                                                  • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                                                    "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2196
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
                                                                                      25⤵
                                                                                        PID:1004
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:892
                                                                                          • C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
                                                                                            "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2968
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2520
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2756
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2484
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2516
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2940
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2260
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2416
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2400
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2204
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:776
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1888
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1724
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1004
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:892

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f1c1dd031b2a29cb3a4303777889c20c

                                                SHA1

                                                c9fac1bdb9ef770214379e5214014ca753453d1d

                                                SHA256

                                                2981241eb6069d8d730c4e0585ab48ba9363c57cbfad19607fbaf219b79ef462

                                                SHA512

                                                21005d743d6654148c2756269fe5ffa4ec9751d1d3d341dec8a0601e8c2cdc9a7a99d58a51bac67b5ae3ea631c0d589e54a64806d9b50f0626604d2eebdddaab

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                a0382df562532b140a1aa81e230e0202

                                                SHA1

                                                143fe4560968f9106be7802a97984ac2fd179173

                                                SHA256

                                                69b1d69e3163fca998dcbaf6012db3f6d3ee99ee70e583ad624c340b89332dc4

                                                SHA512

                                                7ecdd14ef591948d0f34e418b767e88db952437a3a65609884e6b7843e4966317a301428cd73aeae1ceac97994b78a69c55111eaa49f5f4779d723d09edea0af

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                d0ea94e8456f7a51ecf5c03e3e2065e5

                                                SHA1

                                                c4f359fe80ae158101f834b92bc470c1375964f4

                                                SHA256

                                                e5343fb11a236802843b686e60d8cde6a52e197c77af2fda10bcdaf4c11ba76c

                                                SHA512

                                                145184f69b6bb440d9724354223264636ab148af15a9ffde0183838ac8393fdc2527b22d402a7236ee2e520b621e6e6caad8f7ac2ed93a9e2cd5d0cc5170ffe4

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                39a324fd6aa7c709e2b0e8ce8ba324a3

                                                SHA1

                                                affbdf35a9b0d1c5cdfcf24e5a7fdad7c947f641

                                                SHA256

                                                7174ea745da019066e82573a4b113872234dab7bff5cf4bde206109c7991b563

                                                SHA512

                                                1eb53361769e74dcab6d7e78062fbf646e3f932ac3e5557dd7582f46f924fc18d2a3719d2ee7aaf817dc11fe690a3267c771dc8b6c4e913273e6ea3d1787b204

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                bd4a9efa550ac711ff457f30d857f89b

                                                SHA1

                                                e5d83316c2914ddaf34013eec02928482d279b2a

                                                SHA256

                                                ac762b99bafd0504eb3da6d2076b1f5f85bcc7e832dcf02c391824a3460e93fa

                                                SHA512

                                                e27b58ce2bf30049fa6ab7bcd2584969c401372c3ff7929742c2714235b868a205a75b7bdcbfee30415ffc68c07f9e36fb59f2bb76a258d998d05eb6098e37b5

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                02fae86eb75506de9dae95d5838bca6c

                                                SHA1

                                                530243efb4c33068e2f70df988e6e073bd16ca32

                                                SHA256

                                                d4d4525d3dd8a75124092914e4f4fa020b84a06524b29fe13919f840e59d1dec

                                                SHA512

                                                ad2063d0d65f91c55665440a5d2cadafecf25c06d4acff3bb59ee81a7f511ad15ce1728bf747913d8b491c65150d611830c45bb9f5cfbb62d974e4d52a7a4a92

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                45b48c3f7ecdf5cfb15c211cf868c2e2

                                                SHA1

                                                b96b910f26f94d2e4250570abdda779b03d03de5

                                                SHA256

                                                c4bd39c5f8ba4836f731bbdf11a43a09fdae36b144192df76b1f96f04db45343

                                                SHA512

                                                f78919b97064b0144c2a196d6dd14b07243cfe5479709b846ea7646ea71a83ef870851b8c032cb692d686d1b1e5e1e9fdeef0a548011401e63d9271cd98ff646

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                314a99c09c3377e2116ef2396133705f

                                                SHA1

                                                a8df4990f1d0bb7066341e46392561d0e795b9b4

                                                SHA256

                                                79dca44a9dc17f1732c81d3ab57e0998956c8d6a8b83bbf2446d61c47a3936c7

                                                SHA512

                                                f0dc63782a09e57a4118f3c6a4cc64302dfa6a7344060493007bb5bc2e78acd8274f6ede7968b7b2ef37a25a08c5580d3db2aaea8b71b36e95303872cc7a1758

                                              • C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

                                                Filesize

                                                222B

                                                MD5

                                                6bb0ee3bc4aa0fe193b95f93fe98a577

                                                SHA1

                                                9bf49d9533aa98e92b696ef16b69ebf6027e935a

                                                SHA256

                                                6aeb388dc593576bbe11daa79d16320eedf7f74f49b450c9a3490e6fa181eaf1

                                                SHA512

                                                3e7c83734e6fcec8b21dfd38f0d70ea30650a270ebeac9540488504c6d9b0efe3600e8b02b3fb142da2973ee44c47ef123289fb2d3c6b93191aacc8a2ef5a20d

                                              • C:\Users\Admin\AppData\Local\Temp\Cab3F53.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

                                                Filesize

                                                222B

                                                MD5

                                                e2adbdfe8b0d447e61eb729f1db50f70

                                                SHA1

                                                b08f51df2ca2ca184720fa37efe37f0f4656b6c2

                                                SHA256

                                                f815d534695e8ead9c54369dae67f64cf68e91ba7e189583a88a71c56835c988

                                                SHA512

                                                d7518f0692ecd64320160c2e42bb65e29499a4a4c97e45bae6b52b93f9fcf880b4bfcfdcbc41f4b81ca4c4df3fec8fccaf003e464c860e11d13485464d2dcbe5

                                              • C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

                                                Filesize

                                                222B

                                                MD5

                                                d81e655e51d24705a9d1688560c2de18

                                                SHA1

                                                8e0869620ccd55d611669dff1d4b0ccaa6bea7c0

                                                SHA256

                                                a29f9f99d63e60ea3a48659fabf867879ca1449b5b878e02ce19b39923532c95

                                                SHA512

                                                2983c8e11d7c19d39e54a0c611290e9dbd3cdb31fc282f9e833962617b76867051d7526c01c6f2633134a81bf473019f50c02e4b6a76a6b5a1cc73e66f446f84

                                              • C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

                                                Filesize

                                                222B

                                                MD5

                                                53b6a60b3e71db6a14da07484e93cb65

                                                SHA1

                                                a251c72695aa3dbc2b0c6708d4e50986fae6fa2f

                                                SHA256

                                                1c5a7d6498829d6c30e4ef7e3aa356c341753a60e8d905029955c7d1b6117d77

                                                SHA512

                                                8124f4362007fc53f7af9a5fab375d583afcac31fa0e69f7b87d9f24ef8551c941c10d72698d3dfb17bd6521e824afbd57f2212be03cca22e032cd772350c6ca

                                              • C:\Users\Admin\AppData\Local\Temp\Tar3F75.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat

                                                Filesize

                                                222B

                                                MD5

                                                0c4e54d3b730db40add627a01ff3ef28

                                                SHA1

                                                c6248e12438cbe90cb7d73fa7c444150767bfc56

                                                SHA256

                                                87ae8d2fa78c3d80cbfd63b289688ce42109dddef96a6c838174beefa45b2ee3

                                                SHA512

                                                654438e68ef23deb229a8276d6a5ee1053a7fa7f7e0387ccc952e1515f077a32d722ff33a78c3887d802d6575ecd1c23043f7512292f8d0d505697cfc114f058

                                              • C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

                                                Filesize

                                                222B

                                                MD5

                                                108f97ee97286515e7e328046eafe20d

                                                SHA1

                                                dc8133b794e15d16c04b424c1764bb89d368a2a9

                                                SHA256

                                                cc396d2ebd455085e53e2c220e3524b5232576d6abae6dd83f4e8ee5369569ca

                                                SHA512

                                                0b145c036ef45c881a05de411195315c1dc7ba337af65a0854a916d588fd0abdff075df5ef626c8629fa10035836043d4e31725b32dc7fbdd19b6ff8637052bd

                                              • C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

                                                Filesize

                                                222B

                                                MD5

                                                81fdcbb6868dc2e80451061da72a5659

                                                SHA1

                                                cc259edf75f2d12caa56b19f09c5c5a5e88dad10

                                                SHA256

                                                abc8772aa5fbabb6b4cd890f3d70ed8b7906ff48c1ec85167e522d397e310853

                                                SHA512

                                                74e7bc7435176310505b9c4ebe9701adb49f0fdca43324775f21db2da446f1cff7df7f7360bc5708ec8455a8c041a81d444762a8f0b8ba6aababac17f55e87f1

                                              • C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

                                                Filesize

                                                222B

                                                MD5

                                                7e528386db6184b7a1dbe3b65dc864d4

                                                SHA1

                                                d42fcfc5f0e8250f20f9621b0a6a31767fde5148

                                                SHA256

                                                67680004484c56c9d017d25f7008ea5aadd811ea20bdec183fc7bd8221c7c79a

                                                SHA512

                                                46eb3447a9a4a5bcc16c1b47833fed05c68065fe4eb45c0aa71b39076a2227c22a2c4e15990fab088c31e6965811df4eb94eca6d180a40ebfbe11f1265a9d2cb

                                              • C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

                                                Filesize

                                                222B

                                                MD5

                                                2e7e6d655382a2603b6cf2eb36904b56

                                                SHA1

                                                172cb8e1ddcaca94aae3bd6dc69d4fbef324b560

                                                SHA256

                                                5d02e2b61de10931c4e529f965533d6da6b075be0e0fc406d91f87c9933872d2

                                                SHA512

                                                7b3bd64c3e0b3b967bd29d0796e4ca62089729c8d137252b8f4b810438e2ef2efa48e5de5a52bbc78deaebf1ad090bc593eaf4963c0f14b76a53cf95efdadfce

                                              • C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

                                                Filesize

                                                222B

                                                MD5

                                                ddfddbf56aa45d4fa2bb84a24236444c

                                                SHA1

                                                3ca2c96fe9c862cb77e7be55f47ff4a2e74ea100

                                                SHA256

                                                03c57c744eee81eb24af1b78b81c9b60a172010d0acc359149e7d5537d0d389c

                                                SHA512

                                                379f6e8949cb02b131f0afc74665cf562a0efae478f9db81238fb4bb23688fdd5112c435309582d45a89dc73888836f8efd639fb7cc378ba3cf0165c897688d0

                                              • C:\Users\Admin\AppData\Local\Temp\zm1JPwAIFX.bat

                                                Filesize

                                                199B

                                                MD5

                                                013ee681a48f14069f6273f650e27246

                                                SHA1

                                                6c9ac92c738b0787f82271d218bfc0564bb5e699

                                                SHA256

                                                8b9d7cc5b87632b2239eaa590b60a3a659609ba0409a01050d168d1d65d6089b

                                                SHA512

                                                4e81335875e11239ca37c2d6222ada0041422364cbf614e92b1ed9a4a866bedf71e81c3129ad2249350f506b704ac4cd113423e95ca2ec0fdbbf9d82fefea9b3

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                d9fc1467eb7179d20169f3b8c97c10d2

                                                SHA1

                                                8736777704b42210b805a0521bec1215c075e9da

                                                SHA256

                                                41bc90b65142a55f3ab4096159cd1cc1d2609dc9b3173bb54f258923d61a997b

                                                SHA512

                                                2b7d273e277a8e9ac78af0fdb860869eb1f6893c11b557c3af02e6333e82f85176123f6e4d40ec7a2f2b24903f4dd4ead282162bbcf9551bd26ea032d63abded

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                b97e438f0526da436383f97c8974529d

                                                SHA1

                                                4ee3cbbe55ca022d5eba65690c8b31920b7a96ba

                                                SHA256

                                                dabf0b7544b4b9dee68f0a430ca9611a72d25c919efd882b2ee58ebada3e4e7b

                                                SHA512

                                                e03776acc03bb6bfa25440f87388c6eacecf2fba2235ca64b03071d2b029468031568c1f0a4c3ab84de123c1b00a0572e6f8cfea346e0a0fe86c2e85d27b92cd

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/1100-160-0x0000000000F50000-0x0000000001060000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1264-54-0x000000001B690000-0x000000001B972000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/1652-55-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/1788-101-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2052-83-0x0000000001F70000-0x0000000001F78000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2052-80-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2196-577-0x0000000000980000-0x0000000000A90000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2344-279-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2388-517-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2580-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2580-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2580-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2580-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2580-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2696-339-0x0000000001150000-0x0000000001260000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2968-637-0x0000000000360000-0x0000000000470000-memory.dmp

                                                Filesize

                                                1.1MB