Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 02:08

General

  • Target

    JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe

  • Size

    1.3MB

  • MD5

    c15e937fb952f8d30752b67a62073bf3

  • SHA1

    0c60be5e4fbceac78315bb97963bc8f1ac738ef9

  • SHA256

    e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84

  • SHA512

    82ca40ef9fc2d955803cb490fa2e0b42034478f8b78130632dd11d8b61771d1860929b5711c8b7544c4e19f6537ad20c64972d6486138eb3913f94c3eccc613a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3256
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4356
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\services.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1276
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:408
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4268
            • C:\Users\Default User\dllhost.exe
              "C:\Users\Default User\dllhost.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1532
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4676
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  8⤵
                    PID:2276
                  • C:\Users\Default User\dllhost.exe
                    "C:\Users\Default User\dllhost.exe"
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4948
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2856
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        10⤵
                          PID:5008
                        • C:\Users\Default User\dllhost.exe
                          "C:\Users\Default User\dllhost.exe"
                          10⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2060
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
                            11⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1764
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              12⤵
                                PID:944
                              • C:\Users\Default User\dllhost.exe
                                "C:\Users\Default User\dllhost.exe"
                                12⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4560
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
                                  13⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4604
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    14⤵
                                      PID:1180
                                    • C:\Users\Default User\dllhost.exe
                                      "C:\Users\Default User\dllhost.exe"
                                      14⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4796
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
                                        15⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3408
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          16⤵
                                            PID:1924
                                          • C:\Users\Default User\dllhost.exe
                                            "C:\Users\Default User\dllhost.exe"
                                            16⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:4524
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
                                              17⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4444
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                18⤵
                                                  PID:3900
                                                • C:\Users\Default User\dllhost.exe
                                                  "C:\Users\Default User\dllhost.exe"
                                                  18⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5012
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
                                                    19⤵
                                                      PID:1632
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        20⤵
                                                          PID:864
                                                        • C:\Users\Default User\dllhost.exe
                                                          "C:\Users\Default User\dllhost.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3492
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
                                                            21⤵
                                                              PID:3716
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                22⤵
                                                                  PID:4464
                                                                • C:\Users\Default User\dllhost.exe
                                                                  "C:\Users\Default User\dllhost.exe"
                                                                  22⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:628
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
                                                                    23⤵
                                                                      PID:760
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        24⤵
                                                                          PID:1232
                                                                        • C:\Users\Default User\dllhost.exe
                                                                          "C:\Users\Default User\dllhost.exe"
                                                                          24⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:432
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
                                                                            25⤵
                                                                              PID:2092
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                26⤵
                                                                                  PID:4040
                                                                                • C:\Users\Default User\dllhost.exe
                                                                                  "C:\Users\Default User\dllhost.exe"
                                                                                  26⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4952
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
                                                                                    27⤵
                                                                                      PID:4308
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        28⤵
                                                                                          PID:1472
                                                                                        • C:\Users\Default User\dllhost.exe
                                                                                          "C:\Users\Default User\dllhost.exe"
                                                                                          28⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3660
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
                                                                                            29⤵
                                                                                              PID:4948
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                30⤵
                                                                                                  PID:4768
                                                                                                • C:\Users\Default User\dllhost.exe
                                                                                                  "C:\Users\Default User\dllhost.exe"
                                                                                                  30⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3456
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
                                                                                                    31⤵
                                                                                                      PID:3008
                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                        32⤵
                                                                                                          PID:1392
                                                                                                        • C:\Users\Default User\dllhost.exe
                                                                                                          "C:\Users\Default User\dllhost.exe"
                                                                                                          32⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3692
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
                                                                                                            33⤵
                                                                                                              PID:2612
                                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                34⤵
                                                                                                                  PID:2012
                                                                                                                • C:\Users\Default User\dllhost.exe
                                                                                                                  "C:\Users\Default User\dllhost.exe"
                                                                                                                  34⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:4332
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2948
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4464
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1620
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1736
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2212
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\powershell.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:804
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\AppReadiness\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4432
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3620
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4580
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4224
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2404
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:448
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4828
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4248
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4436

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      7f3c0ae41f0d9ae10a8985a2c327b8fb

                                                      SHA1

                                                      d58622bf6b5071beacf3b35bb505bde2000983e3

                                                      SHA256

                                                      519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

                                                      SHA512

                                                      8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      baf55b95da4a601229647f25dad12878

                                                      SHA1

                                                      abc16954ebfd213733c4493fc1910164d825cac8

                                                      SHA256

                                                      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                      SHA512

                                                      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      d85ba6ff808d9e5444a4b369f5bc2730

                                                      SHA1

                                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                                      SHA256

                                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                      SHA512

                                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      8719edbfd6e55edd2b91a5667dbd21af

                                                      SHA1

                                                      7c489dc8674d1cdb115753beceecf53e709bbc41

                                                      SHA256

                                                      e1b54baf626a4ab438440167ec2901b6267546ca838ba0feefe3b6f69d54df10

                                                      SHA512

                                                      562d6198edafe2c3bc504253aa7734f9741d2443d51d0e2188aaafe40183e2377a0aceddc594932ef8a7c95dd8e426388d966bd2cbaa77ed4d0cf3df666c151a

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      63d10e9fd02561e2af82093beb5ea4db

                                                      SHA1

                                                      9ba1b319cb7f029ba423498aa419b2a7852cb7bb

                                                      SHA256

                                                      df72106c99ca97c7084a478ad2855ac6f3efb6afe380de46f2167c3a178b0b0a

                                                      SHA512

                                                      baf4ddb8899b5fbcbe605cad3bcd3fb70cfc05c2d5807a867962d4147ef2bb29b31ab53767bb39e0032cbf70bfbccb604cb31cfb6bcdf4905a19907588682712

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      120c6c9af4de2accfcff2ed8c3aab1af

                                                      SHA1

                                                      504f64ae4ac9c4fe308a6a50be24fe464f3dad95

                                                      SHA256

                                                      461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

                                                      SHA512

                                                      041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      77d622bb1a5b250869a3238b9bc1402b

                                                      SHA1

                                                      d47f4003c2554b9dfc4c16f22460b331886b191b

                                                      SHA256

                                                      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                      SHA512

                                                      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      944B

                                                      MD5

                                                      cadef9abd087803c630df65264a6c81c

                                                      SHA1

                                                      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                      SHA256

                                                      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                      SHA512

                                                      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                    • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      ed1454ea4d261130fbdbf8dabd7a680c

                                                      SHA1

                                                      ab6d3cec303c17afe677fe24d4a70a4d18ae3abb

                                                      SHA256

                                                      075524a68e16ebfbc9cafcd87ef5ef93e2a46f77a100e70177cb95887b33f0b4

                                                      SHA512

                                                      c7d64fbcdeef9dbafb43ef4287b1c5967e7805b98a151073317b77eadc8fca814e988eb63127979e88933c1606400dcabb742ba733e145bb4b6444832c6573e0

                                                    • C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      ef08a7defd6890be762efaf7fa4850d4

                                                      SHA1

                                                      1c63012d6e54dd5ad7b1c7551c7784ad05189ce7

                                                      SHA256

                                                      a4a975d02289cac5d6e1094f04031cb9f13b845c8d369d7621fd10f0b848fea3

                                                      SHA512

                                                      c15d181d19773bae674bb00e13d587fc2dfc3551dcdd4446525eebccb528c7ae53b095846d1f697fcc918ffa1f2c22be5b670f9224cfc726ab6106b16cd94516

                                                    • C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      95e628dd7cdd477d505d2dc9590167d9

                                                      SHA1

                                                      de023337349ad282e529e112f9fe530f0d77fe49

                                                      SHA256

                                                      9f0aaa3d5554ee7dd0ccecbb061dd90a3ba4bcad048b30228b26d81a7adb28a5

                                                      SHA512

                                                      ef120d5dd3ca0b5b9c05046b4868d691865f2bcbf81deb89646b23a05c749dfcdf40fe30722e0ded46665e14e7d08a7209e3d57d00cc240819ce86b33bd571b6

                                                    • C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      82f18dce8453044e764b6cc176f35d99

                                                      SHA1

                                                      054b68e044ffbf227d094fe40b17de261ea17ee1

                                                      SHA256

                                                      b3a024bec659ccc1884a84740828472e1dfe0f9563daf4a40e77ea2df3a2e6ba

                                                      SHA512

                                                      35e10e0c037e8b5d336bb82ea239926dbbc908690e60566af35efe10491b30c86e533127f07f01e93ebf4184032d66522c1739257c731c4f01b1e414afd4eab4

                                                    • C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      774ff768254a2e59ea90681b1a8b93da

                                                      SHA1

                                                      f686577ec404fe52f1088aa8a71ac368368f2057

                                                      SHA256

                                                      eb7044c95ce5fc39e776d20550b1d67e87a49c77dd3cd32bc68694af72ebac60

                                                      SHA512

                                                      b5b6db38d30918997994ab1946bd61b678e88e6c3262f3dfb8b7462b61b16845e8d6c486845bd72767ea6a59c57193a608cd6a7f0dc9537bc25d3cb893f147d2

                                                    • C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      ac4bf972ba23e3aa7a211fe98b91ee0d

                                                      SHA1

                                                      9f432d06a757b5ec9290f83092c4819c041bd75c

                                                      SHA256

                                                      4f701809cb92eef929a599da24195649f406d85031fcc1737cfe0e193dec417b

                                                      SHA512

                                                      bfb0e08d99eb8e8345b688fb215e51414f4e6d62e7d5c11e90b1284f6e04cb3261e32e747f3464bbb1c9e255598c5e5b54f6ee624d76ca088cfcb9512a8418c3

                                                    • C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      08cd766efff4864bae6c7d292b38f14e

                                                      SHA1

                                                      ea4edb7e746135d54b013e1546a42c53e3bc9ed6

                                                      SHA256

                                                      ef97e96643b408a6b7de09a19b5af5ebf35ee09fb4c59c20798018d6e58f14b1

                                                      SHA512

                                                      03580d512dda1b0cae2a7dc565a1166ac202e748a6c48c2cb9ec806619fca92c17e8c322ef743eaaee140a44adb92c7ba3960af1be6631402eb6a3797c6bd052

                                                    • C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      27dc1e3c1b2ee313a78387df9f445340

                                                      SHA1

                                                      bcadddf0dd8327a950f5cd8a0ff14547b5e33c9d

                                                      SHA256

                                                      564d376e5361d55f4f7d0f498a9140440ec3d522a1b4bf56d9b8c09fd74f3092

                                                      SHA512

                                                      5b66c9355ce090534881db1f1803406697f7abf5a28d5672ca18bcae3cbd5ca1be869a21f732f8562e76a1d98f50d3d105a1e991ed39a4aa317e43806da832cc

                                                    • C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      9add2d1444f88d00ea6ea8d6ef7ad9db

                                                      SHA1

                                                      87ff3b15e17b272f86cd6b071f5cdefd6e284098

                                                      SHA256

                                                      0390619a2f1984019ddbde1e94420a65c1acb5fd8485868c04f5166b6798144f

                                                      SHA512

                                                      746a72ce9b4f06a7db23ccf3970b029530013e6082d5cf8de41c5cdaa015707765d249a55d0dca8c738365fee1c94b44ecfc26e7ae141d9f053cecb390d3bde8

                                                    • C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      0c1b04b20c1510d7fac90ceba7738cc4

                                                      SHA1

                                                      dfb1802deb2733b5798efa7dd76bdcbee9ae5980

                                                      SHA256

                                                      48d3c46ea63ceb5a56e8cec2c1664a34ed6bb4ad5624c2c80762f39cf8a069cc

                                                      SHA512

                                                      d3ae1cd13c9babdf2c5c82bae8f6682211903325f0961d19f74ca02fa5bd184052c473346f5284a98cdd3efe421b7fc8c988b204567432d50529ae27fc60834f

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbwxcj1j.fyg.ps1

                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    • C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      54b439bf15f84e4d3d301a0fd593ff3f

                                                      SHA1

                                                      7cdc870684a90d89d1dc469c501dae58290c66d0

                                                      SHA256

                                                      2820993acb05c563a5b2705a7d748a544add104c6acfb5652f1e3b6b1c441321

                                                      SHA512

                                                      051270099f2274b3e3db3f398cee83c06b14c1e12d6d416b2b405c9f65ead8d1c0dc09c7f41c7743f581d629a4aeb4ac9668448a49497f64d20f637584cf7601

                                                    • C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      f2ea85fb210808b3b8bc05e2a106f952

                                                      SHA1

                                                      2d0672df3aad35b66879b021a97929d78c254005

                                                      SHA256

                                                      2f8176a8069cddb970b889f865897f330aa4298c803db4ffd470657e15754c3d

                                                      SHA512

                                                      3c714d1ccaa83c36e1d45c2de6711c1f8686ded62a6de0b6beeeea661818bb47bae9d5ecbbef7fcab21d6336d762b2361c95843ac92301ea2c8cf2c315ea1d48

                                                    • C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      4d88931f4c36529752e00df220a28bc9

                                                      SHA1

                                                      4f6fbf5c58ab9748893b8c4eeff5bb3d364b5620

                                                      SHA256

                                                      c2fc0605e1f4fcb2c5081445109cd1595237918bfe1ba3df9ed9bed6a7dfd6ea

                                                      SHA512

                                                      225585bbda5e83f52fe264e5dca81878197c972fe3768aa700fcb9acb429b894fad66b208600788bfa9208e94be6a847b993a2ffb973da8292e8429ad6a68f78

                                                    • C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

                                                      Filesize

                                                      198B

                                                      MD5

                                                      3281c3118807fa3cf6aaec8a0be88b6d

                                                      SHA1

                                                      37a9c18fef7408fed3dc1ee5890476c18a65b341

                                                      SHA256

                                                      5f523c87b87aeb605bc7a57fb501f9e613bd003b8384148a7e124753de5fc2f0

                                                      SHA512

                                                      76b93e63db6f066c91323bd7f8dccf690ba6c4383e790121f5900e25ece31e31841c1504b637118dfc4bb2e2e814879eb4aefe0a3d5bd5ea1b408bb2738840fa

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • memory/432-195-0x00000000027D0000-0x00000000027E2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/1532-126-0x0000000000A60000-0x0000000000A72000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2060-150-0x0000000002940000-0x0000000002952000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/3492-186-0x000000001C910000-0x000000001CA7A000-memory.dmp

                                                      Filesize

                                                      1.4MB

                                                    • memory/3660-208-0x0000000002B90000-0x0000000002BA2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/3692-221-0x0000000000EF0000-0x0000000000F02000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/4356-39-0x000001B2F37A0000-0x000001B2F37C2000-memory.dmp

                                                      Filesize

                                                      136KB

                                                    • memory/4560-157-0x0000000000D90000-0x0000000000DA2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/5008-53-0x0000000003140000-0x0000000003152000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/5096-13-0x00000000004B0000-0x00000000005C0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/5096-12-0x00007FFB5B9E3000-0x00007FFB5B9E5000-memory.dmp

                                                      Filesize

                                                      8KB

                                                    • memory/5096-14-0x00000000026C0000-0x00000000026D2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/5096-15-0x00000000027E0000-0x00000000027EC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/5096-16-0x00000000027F0000-0x00000000027FC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/5096-17-0x0000000002800000-0x000000000280C000-memory.dmp

                                                      Filesize

                                                      48KB