Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:35

General

  • Target

    JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe

  • Size

    1.3MB

  • MD5

    ef9929a8179ccfcb8742812486534e53

  • SHA1

    7b04591c689e7ab85edb495b7f6c26f08bfef9b6

  • SHA256

    8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db

  • SHA512

    e13619e405603a72c9ac0bd370c058c7d2feb1325a07316beecc7c9a48c763140071454ef6465d77ad4d0dd372d61b9b3bd05546583864a82d5a486068ba53b2

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2080
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1708
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2280
                • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2700
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2380
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2324
                      • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                        "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2660
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1608
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:1816
                            • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                              "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2436
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
                                12⤵
                                  PID:2516
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:904
                                    • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                      "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1976
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
                                        14⤵
                                          PID:2372
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:572
                                            • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                              "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2292
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
                                                16⤵
                                                  PID:2736
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:2732
                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                                      "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1144
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
                                                        18⤵
                                                          PID:1568
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:2756
                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1124
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
                                                                20⤵
                                                                  PID:1876
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:2760
                                                                    • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                                                      "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:656
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
                                                                        22⤵
                                                                          PID:3056
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:2448
                                                                            • C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe
                                                                              "C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1864
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1440
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2712
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2824
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2580
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2608
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2616
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2604
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1744
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2612
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2024
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:688
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2600
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1644
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1324
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1740
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2044
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1816
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1732
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1392
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2856
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2732
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2864
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2236
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2592

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c8ad59d7c94b4c4d3b9d1c867e71d43f

                                        SHA1

                                        f3e54f589015bd69530014666f2bcbcb387330e9

                                        SHA256

                                        b5e78dfd2f58eaa8808462e5baa178e56bab1bd50b00cccbd12004aa74115693

                                        SHA512

                                        b5744f04925161225bbf98d035b2e78af2bfab1d4f60dbe6a483ae0f06b949456db29f94fe7ba921ec856f4e0afa4bdd8a5576a45fab4c22dc791153aff1c745

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        2d6ce279481c170af1ef5bc3d4d33bab

                                        SHA1

                                        5912a62be435ad364c747d9a7a0372abfa18f2f5

                                        SHA256

                                        c45d7870fc2e3548bf4010078a096635e1357d51cdccf9dde40b7b43d75baef4

                                        SHA512

                                        e65564628707e484215a1f1755c364e63d3119a51c01320357f8e7a6794711ce381a757596513e855e7e4fed2078228f554116dc8db66dd83cae82514891ae28

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        0b8091aca9c1e8754bb0096b431adb6c

                                        SHA1

                                        7ebceeb839e3d0d78f841ef7e9bf1d545613909f

                                        SHA256

                                        a5c78f8ac67810a1d2253c1455f91f24aba5760087a6a6b43d1c557c7a48012d

                                        SHA512

                                        5d64deb7ebc241bff56609381759496da2d8d09a7b493a74a2a94b072270c2c95d842d54942996cf2642e04eec306380a7b99c70313aa16e016bbcf398528ccc

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        165c82871aada43213e0dcdc565befd5

                                        SHA1

                                        0048056717668addfb070e2156e81d4938d978de

                                        SHA256

                                        f430c6fd8135b3b00a67826e55c0a0342a7a55b58372ace07738c6049f74cf32

                                        SHA512

                                        e4007d9d0b477bfda56d0bed9d5d276276b31c2375a886aed5789f089a40571566921760b8d8607bcd3590d56beeb5290bf926ac0577d84bb47f2a532ed49625

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        0ec1ba22c3567b1dc6fdf5cef9fe9456

                                        SHA1

                                        b6f0e53702bdfece328cb73c7bc66ee19469514a

                                        SHA256

                                        4c542fcb53d0e3cfdb3c2e4110f863debaa0fe8cf96d93332b2d2aa9ef84ec40

                                        SHA512

                                        5321d9bf81cb43bf535f0d608cb4b36b3463a9709b613084e58bb3e4f9082c2af61dded34f1cf1ccbda560408eab2e447d2bf99a206ff6073cfa9a368338b93d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        927eec1d91fcda3e044e838b0c4dd707

                                        SHA1

                                        e41c88589579536df9834273b91319a6b139b419

                                        SHA256

                                        b1bbf5cca4287062e7889f6909c6b5d3eecf09a3c67e3e94b7c0883de62229a4

                                        SHA512

                                        9c723861cf1d7fb447c645720fa1f4b0c9637c82502270f0d86d8ee352f1129cad67fe8c7fc6d4bf8fc333aa45bd12ea73871590f5c1ffd813e5522f7d414182

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        93504cee4ec7f127561eb2e15ac031c0

                                        SHA1

                                        3e74c2ac79a72357a05cc7adc1168a740e4ef2c2

                                        SHA256

                                        c5922a039b4980728fecd7a7508cb3911e536b73d68512d38b6f98741b9a8bae

                                        SHA512

                                        be7480291cb1e4cd682ea7bb9a423afa7d2bd1bd24f6d5d3917975df1776c4b8e6a99db82dab52ec75053c6b91a25ecf53ebcd0beb31cb3e1d1056f3de1f37a6

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        d00b916ccf7dea3355e342ddf5d3c23a

                                        SHA1

                                        ac998455203571c8573cb8dd3a3d67ed683d68f8

                                        SHA256

                                        bbc9527709cd2076eed4cf0ab38807ee4320b352888fa27d1a81171adfc9cc35

                                        SHA512

                                        cdd155d451e91f93734168466f4854e0d82711f0cd66f58b46965888f5fc0570932e368424802ed57cb5857da2c63f020633297b18e74a2c7870cde1437c899a

                                      • C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

                                        Filesize

                                        220B

                                        MD5

                                        f77e37140ccfe33159abdbe963b8b643

                                        SHA1

                                        6823094b0ad1126c6f17e9b7a779b4f84bd1a85a

                                        SHA256

                                        ba3777b229f89136213caf02db857c8bd35c84f16fdff2b4e9f0a0795e6bde1d

                                        SHA512

                                        193914476529a50f0404cde3657cfa6939bf1f0c02367bfb6fb60b56c59bcacc75c572df2b0e12ca4b36224277d76aa021f3d44dc19d22160a9982bd30e1038a

                                      • C:\Users\Admin\AppData\Local\Temp\CabFBDE.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

                                        Filesize

                                        220B

                                        MD5

                                        894c0496821c7d7af74f08b2a06cbd5c

                                        SHA1

                                        58ee700af1a67fe3625cd2ad41aec6a682e73dcf

                                        SHA256

                                        4b798f13beda4d1cabbb6248949e3b405cde4743579695c8120adcb4ac260137

                                        SHA512

                                        4840bcfa881277ae9cbf9fdd4c6851357182e789f1272deb3d13650584ad6b7135361fb2acc554dbc61eff60ad68539417a9964843dec460c97887896a184aae

                                      • C:\Users\Admin\AppData\Local\Temp\TarFC00.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

                                        Filesize

                                        220B

                                        MD5

                                        9b8dd010b988c1fc963dde5e6745bc05

                                        SHA1

                                        436869d63d0e041b72a6e742dfff5aeb567dfa0b

                                        SHA256

                                        d5c796bc9a888e0914e0393aa168481ce872cfc2cb26f63cb27d3bc37dac0c97

                                        SHA512

                                        69a1340b675c6aa0038794ff93d4315db66ab73a6efa15972c7cd789aa288cb8fdf40303e78ca4e4ffc42c9de6e06e2111394d1da2fce7977abce1f5ebffea6f

                                      • C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat

                                        Filesize

                                        220B

                                        MD5

                                        9f3dc2ba159198b35342986672fa7e70

                                        SHA1

                                        99f31e93c4d4e1dd743ea29bc7a8c108c2b9ee7d

                                        SHA256

                                        aff277b1a6c324ea3a11e3e4718740a3acd2f6656325e46c7cccf2da43da3f1a

                                        SHA512

                                        6b009e4415f61b133311528f0fb1ecc86beeb870a7becb7c7d3db8b49d0f56e1adde4b305852052d846d0c1067852d1428ac50856cd1ed168c033ccceb6d7a32

                                      • C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

                                        Filesize

                                        220B

                                        MD5

                                        7a3a7754fde73ca8e1e2ecbcc40af04b

                                        SHA1

                                        e9679355ab2237391a7c992528ccc189e44239a5

                                        SHA256

                                        2b853997ce7260d8bf4932340334fce789b86c7a85d1e68467ff1dbd8310f02d

                                        SHA512

                                        5cd62a6f36c52144f7cff1b5341b528954081ccf2d54e9e562e7325f05949923bcbd52c6e812ab8ddee3287ac819ffe477c419f7db4a977d3ba0cbdd76cb30db

                                      • C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

                                        Filesize

                                        220B

                                        MD5

                                        6a9fa21a9dc3498c5bf6ab1965f86f5e

                                        SHA1

                                        d9fcd29d1c0a16bae70b5bf0aa663dccc28a22b7

                                        SHA256

                                        d225663e5b655e6852e65e1f2e5c2c126f34b6ccfdf033c04dd8fbf8d46f2ad4

                                        SHA512

                                        bb2172c52414a8837791a4724ff73d620bdf38ff8196daeb7a62bd9f0ce2e053601ee78d3340027f4630cec08f94a2b8fc021f8a17e280ae0051501b45a9341f

                                      • C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

                                        Filesize

                                        220B

                                        MD5

                                        0ed0c733b09e4822fe704ed35467c4b6

                                        SHA1

                                        2b9ca061c52c5af54d51283c437cec764e15999e

                                        SHA256

                                        c2092c1b169e09cce3764465c06e83eadfebdd6f65326b9de60299dfc85af6a4

                                        SHA512

                                        750e60d9923ba8e454c797969b525cd074bbb498218c39e9e295f7b4344782b66748a96399ead0a711af9aaa27479e50fa3810b6e5ea53d33c653299f17c6c39

                                      • C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

                                        Filesize

                                        220B

                                        MD5

                                        3b8ffa9460ea1e0571d6843d23f6cf2d

                                        SHA1

                                        78197f07f7533a20e2c77b21844196bcb6884859

                                        SHA256

                                        4ce00c60e4c03f62617b4f4e2e3608ad68dc824f0bfed7c58f950900cd027600

                                        SHA512

                                        76fde843b9c355ff8280e1ef21ce7a4581faf20df1a8bb503d42f499dc7bf47a0c5c0abdec7d4e2af1ed7458e11eaa35170a0aa9fada549e28d7bbba48d65963

                                      • C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

                                        Filesize

                                        220B

                                        MD5

                                        1c854ebf591ae4082ce5b00bf4aa0450

                                        SHA1

                                        251cb6eca97b3a9381e4f64d424f329243c09b0f

                                        SHA256

                                        c7703e0762f8413c0f3e63bb01eebd0c2a8f72741d2160928b86de017f9a5b5d

                                        SHA512

                                        6aca81aa91ed2aa1ae4f8686875c4d6ab31296a08d727655ccb5ccee5b163c041b214820463407e040f00b21e2ee095040e2cd1cf73720605856b44087e0dfff

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        b60be4aa81827e05039f5a9a321cf6dc

                                        SHA1

                                        b617a0ca054d5b02acd12912b1f13a7e0bfa74fa

                                        SHA256

                                        6d9812cdcd9fd91baf02eb1cd60ca57de365032bcaddbddee5c70c967d8ccf9e

                                        SHA512

                                        f20910f7fe36f9817ed6fdb7c7c0d1b97ddb98bfce068902a452fa240c3ab9fe8cc96f7665dc58f543acbdb749e7070f596622291c7df6a8619b3f3d0202c8c8

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/1124-506-0x0000000000A20000-0x0000000000B30000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1144-446-0x00000000002F0000-0x0000000000400000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1788-40-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1864-625-0x00000000001F0000-0x0000000000300000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1976-325-0x0000000001120000-0x0000000001230000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1976-326-0x0000000000450000-0x0000000000462000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2080-84-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2084-15-0x0000000000760000-0x000000000076C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2084-14-0x0000000000750000-0x0000000000762000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2084-16-0x0000000000770000-0x000000000077C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2084-13-0x0000000001220000-0x0000000001330000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2084-17-0x0000000000780000-0x000000000078C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2136-86-0x00000000023C0000-0x00000000023C8000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2292-386-0x0000000000240000-0x0000000000252000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2436-265-0x0000000000990000-0x0000000000AA0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2660-205-0x00000000003E0000-0x00000000004F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2700-145-0x0000000000FD0000-0x00000000010E0000-memory.dmp

                                        Filesize

                                        1.1MB