Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:00

General

  • Target

    JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe

  • Size

    1.3MB

  • MD5

    3366a3f733a92c923f7fad40563905e7

  • SHA1

    3b40dde236c645b1a254f23381bbe739a7b318e0

  • SHA256

    032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5

  • SHA512

    b1f6f783b4f859c64aefa486660a516e933878f306b6e1c8dd86b7a330932fdafa683db0ea6f04591916dabad529df1f5527f2091980e63fd65fb11520b83299

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\en-US\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
            "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:808
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2976
                • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:548
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2704
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2712
                      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2652
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
                          10⤵
                            PID:2144
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:280
                              • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:860
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
                                  12⤵
                                    PID:2752
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1704
                                      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1936
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
                                          14⤵
                                            PID:1632
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2968
                                              • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                                "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1576
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
                                                  16⤵
                                                    PID:2080
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:600
                                                      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                                        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2732
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
                                                          18⤵
                                                            PID:1540
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2804
                                                              • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                                                "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:292
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
                                                                  20⤵
                                                                    PID:2928
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2852
                                                                      • C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
                                                                        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1572
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"
                                                                          22⤵
                                                                            PID:568
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2288
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2556
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2504
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2552
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2976
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2988
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1256
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:476
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:896
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:576
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1484
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2768
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2804
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2688
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2864
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:852
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2400
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1808
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:548
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1572
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1560
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1536
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1192
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1204
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2968
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2872
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1960
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2360

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6d900b012142cb997cad05f813dfd191

                                          SHA1

                                          b680868b09b2d2b36710945e8e31b425f187d22b

                                          SHA256

                                          df920698c4eb2ec2ff20c1888d6e73f4aadb208ed0e82eff4f99161ddcde2a4c

                                          SHA512

                                          7f2aa670d967da8662547ba7589a72dc872622517544f2310634ac6da89ebdb8bf2aec16f187ad42bb908a5094edc0251c8d73fbdf3bf947c0e6e2664bc69382

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b930d32b133a64f5258b33987072845b

                                          SHA1

                                          6db64f6075a844c7d32c855196c4a4752fc39ab1

                                          SHA256

                                          9b57f2a1bf8fed7da3c452f298fa16969f28645509ba15e1f2bc71697e60c0f7

                                          SHA512

                                          4f6eb78c97580dca735fa2f874e5550ae0eb20bdd8a545ae12dd8e945da03220715ba33d3b0abad0d6f21fbbbeb3fed8f555f59790064e6f02e202492d924e41

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          83f8fd6fe316457a9fb0188c6d56aec8

                                          SHA1

                                          c409909576757c4d187d22cf656240b962c8769c

                                          SHA256

                                          623a2d9721aa4bf96b21a3e0d4b1aa3e94b67d1b003b0664ee3d1f46f3e85139

                                          SHA512

                                          0495a70155652dfe7def413f6a175bd1b9e3375bbcbb3a98cf387af62ace77ea7eed99a795cd9d226f27b4ffd31c88ce3179391de669f48e7fd1205891de272f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f27dc301ee426a39a0942d7cf0561260

                                          SHA1

                                          e284f060fa4ad4357a6ea46ad7652e37d2098920

                                          SHA256

                                          aa74b3b42f2cb4e9f6f18e4bf5d4fe3c407d0c1cb0ad129c4f23d2fb326ce6e8

                                          SHA512

                                          f63041cb3e04e309ff48b54b1ce3a5e7d3e0b2b49c5caafd6e1fce6a49e1d3005549f01db3821df5cc14a19f9db7e16445816c2b9b825ac3b16516b5be6d550a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f5022d0224f4c880a995022d28e2c44b

                                          SHA1

                                          f249ccc977d43356d1d2c87bdbda3dff90943299

                                          SHA256

                                          257b8dad98f3746b3b39804d59323e21679a3cd1b16bb31ea14aba3b48c94f2a

                                          SHA512

                                          9d8cbd4e9f676914fc202e9f0aa7dbad276214ed7503bb11be8add31b88e6665bee364f15198751c083a9220aed103c730fe0a0d3a71aa4b15942a0c907136c8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5ec380469e10aed9de1e7e315ba9a665

                                          SHA1

                                          2f80da7e805d8852be82a75db67b40b55870e1e4

                                          SHA256

                                          c7d1b616816fee055ee3cbc475bfd4fa6f22761962bdc3603534dd329fc1cefc

                                          SHA512

                                          37bc0fad86951816f7de05a1d0b705916d611a1e38c0dc530f41d691379b78a37d37f93df97b7ea6eaf0c1669fd8fbbff2e8b5282dc0536a69a122ae7286adb5

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0762ea0188ff0e8b8911f0c90dd374a3

                                          SHA1

                                          15c4749fb7278b7b809ade7b798a501b4a25e90b

                                          SHA256

                                          b9d070fac12cb13d2843ca30b6c268890aafa5445d50c486765c89d31a014f27

                                          SHA512

                                          2ee980552acbb5ceca535f6e0194fc4088b3bec0288927d62732ab85387a1f4a42c6dbd76017b5e405fecb428685f8c0401a07f7cb311c99706c2b433a8dfa3e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c121ed662a519d17a340948293ded32c

                                          SHA1

                                          757fafff672304b3636df501e710f82562368828

                                          SHA256

                                          8335a45de8b18c768a662539216db60f70db61f1fc11a2c8977e3b9eacc3967e

                                          SHA512

                                          ba12e30d16371d93f02df7ce968d05cd1ce3664492b293af21c74b99c0f621f212b29b7f257b7883a21934fb3df92c50f56095f587dad44c4c5baba71f848e46

                                        • C:\Users\Admin\AppData\Local\Temp\CabA085.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

                                          Filesize

                                          221B

                                          MD5

                                          bbe15c1fbb11222b6eea91f2fd854f82

                                          SHA1

                                          4a6b6e159e4c87ad271ec36f1286ba134015a02d

                                          SHA256

                                          79b5a686f18545218d8d6c3f3f51f23126a13c49549f60067d3d0f99490be740

                                          SHA512

                                          ab97c9dff785077eadecf8e3e12c5f703d7d2aadf483c2753ebc6e82656f55f79de31ebd4b832563fa6da8207da076c98c0676c65dd56eae4d8310ee30a4e595

                                        • C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

                                          Filesize

                                          221B

                                          MD5

                                          7a4159602f929a3048d6aa523f683b05

                                          SHA1

                                          9d7c825b7f8e23c9806f2bdbf5610847c3a849a7

                                          SHA256

                                          52f5bfb5bf0a7b7f11dd35dc0437255f1d941e40b326bbf7b8f666822142d6d6

                                          SHA512

                                          bdabccd8b7655771238a94db0a7e80dea9559d43ea7f29bb54f6e1db7c53247127980fb4a302ef646bf7f26b8c56c06e8393dfbd61d4a0e098b51b1ae832a0cf

                                        • C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

                                          Filesize

                                          221B

                                          MD5

                                          9b4fdaa688f21f89468723de69d439bb

                                          SHA1

                                          47a035248aed81fe82b8b7bc8b5f249d8a4bf40b

                                          SHA256

                                          4d2a740ed1ffdf0be765287dedcfd8f41a535f07ecccd32c9ea86db37b8c43e1

                                          SHA512

                                          bbb06fb09cd1ce57b93c496bb1b228726de38a8a5eaa07fc09fd943f5598f328487a715ebed7bc2df3df2deed08c0040acef06e5e1889aa3d479a193efc19227

                                        • C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

                                          Filesize

                                          221B

                                          MD5

                                          db71919c2f9bc9e9d847f9dc328e2dd3

                                          SHA1

                                          46a44d44fe7ca43bdbbe7451539272878b41585e

                                          SHA256

                                          b7da24ed1a0bac172c2764ff3e88e99737106a8f7b7df09b61ed5da589ee283e

                                          SHA512

                                          57ccdf1ee0a85c7393818ef8a85bf8673156e9f2629a6b0c28d079cf04d31c670f1c89b15ab7594d051d6eafc6ff4cfba04c5b1872feb0bb013d47f2ca2d11d8

                                        • C:\Users\Admin\AppData\Local\Temp\TarA098.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

                                          Filesize

                                          221B

                                          MD5

                                          888ed69f54545c03302a5e5fd0175a49

                                          SHA1

                                          5538bff378911ab5516ed04b7073ef815e96df80

                                          SHA256

                                          b87cae9a83a9acde20ca1c902f976e229a3490d7c3061457fbf62e0bfddfca4e

                                          SHA512

                                          c191b1bf2735e50c6ce72da4e5da66e489bcc87df02c57cc824f7eeee3cfe6f1a21e467ec6695ad697ed87044e69ade87818347f5ba8339d74f3df622b665a0e

                                        • C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

                                          Filesize

                                          221B

                                          MD5

                                          f1289adbf642f576b7f1b53c7ef00bbd

                                          SHA1

                                          4f1395916f0886e14aa7405f9a8108955b9df764

                                          SHA256

                                          f91de56aca49a4b9cd3ac8f2b81259471bdb96923896bb0ce10bf8d1fed1f796

                                          SHA512

                                          2570541e485b31e1e8551c873b9244c292ca0b960f38ae1feb25c997a8e2fc74fac65536f2a2c416fe6f606ff2ae13a4f3377117f35d7ae00e9b39db3e861ecf

                                        • C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

                                          Filesize

                                          221B

                                          MD5

                                          3ca0b1add0059c3258752912ef529a8e

                                          SHA1

                                          f85841ee824cf697e516744c0054aedf8182597c

                                          SHA256

                                          256aaea51528d09f1aafd25b20518c6d3f20385a4803fa6904e0759470935c46

                                          SHA512

                                          a103a784f3302e93352987b408051d892ba51041f203fa7217f4965e5fd913f1bd634807e9185731f7893ca002a8c8a9de633af1c813d6ef5e8eabaff95b79f7

                                        • C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

                                          Filesize

                                          221B

                                          MD5

                                          21269e59353586bbb43c7e987df450ce

                                          SHA1

                                          f9c5aad5ce118dca45b9eee7c62675ae0de1c705

                                          SHA256

                                          2b5cadf4475f2874246a4e0315944d26cc651237e5d9dfa18ff1581d7955fe2c

                                          SHA512

                                          be72283cd214f8e9a4539f7a7f1232fe931353e9c82dba5e63f295552e1a170a494e1d4a5aa061cf1aa1c5f9253e802a0fcd8a011cc28384e932bc9832dbcc63

                                        • C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

                                          Filesize

                                          221B

                                          MD5

                                          815b7104d513570fde6344a8a9e27168

                                          SHA1

                                          ecb9cbcb4441f80a1fe473db6a82ebaa9a3f9b9d

                                          SHA256

                                          8fc962d6b2ad757575f457dab5dd676c1cf679bae4ec0f60f0623a3cda3f863c

                                          SHA512

                                          a29869f258c8972fa005449ba18ee9e926a6a7c2dcdfe31bb795e528d2f95838d891457a26d5ec0780565793d9b3d2ea4a1bc8701b15f0597c9eaeee645b0da2

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YP1CTHXWVJ3E67MD9JT3.temp

                                          Filesize

                                          7KB

                                          MD5

                                          35edee54363b4a5304001359aab01ef7

                                          SHA1

                                          7b5e87c9f69a87d08c2f49a4a6757916b895309c

                                          SHA256

                                          12951bda19c90486c11b4822972526b11d19f148bb5b16739399ad2a92ed3614

                                          SHA512

                                          359ffc226bd97d447ca14cb31608faa4b614aa79b0b5b8462ad1472f6c9abd60f1a7c8506e0f2077372584007a89b966464654b6c88107e1487e3cf17b7cb585

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/548-152-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/860-272-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2392-93-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2428-72-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2652-212-0x00000000001E0000-0x00000000002F0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2904-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2904-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2904-17-0x0000000000200000-0x000000000020C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2904-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2904-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2920-92-0x0000000002810000-0x0000000002818000-memory.dmp

                                          Filesize

                                          32KB