Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:09

General

  • Target

    JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe

  • Size

    1.3MB

  • MD5

    5d577105e0d44d5d1e896c7d33edf212

  • SHA1

    67dbfa0fcd1af1691823f97a89f94dbe25d13d7b

  • SHA256

    21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f

  • SHA512

    93515b2619d713fe21937acd707a7f6e2c126bf70c426b2051c707e04cb4a987dba9168191f7720863e578a90f63ac5f385cb03e12999b19c405c062998d34fb

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21016ad2a1088da1d5e30404cff3b40daeadd9c6e5c6d05968842f8d3e66d20f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\providercommon\dllhost.exe
            "C:\providercommon\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1980
                • C:\providercommon\dllhost.exe
                  "C:\providercommon\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1052
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1812
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2008
                      • C:\providercommon\dllhost.exe
                        "C:\providercommon\dllhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:948
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                          10⤵
                            PID:1308
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:680
                              • C:\providercommon\dllhost.exe
                                "C:\providercommon\dllhost.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1588
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
                                  12⤵
                                    PID:2784
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2676
                                      • C:\providercommon\dllhost.exe
                                        "C:\providercommon\dllhost.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2056
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
                                          14⤵
                                            PID:2076
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1336
                                              • C:\providercommon\dllhost.exe
                                                "C:\providercommon\dllhost.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2684
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
                                                  16⤵
                                                    PID:304
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2504
                                                      • C:\providercommon\dllhost.exe
                                                        "C:\providercommon\dllhost.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1584
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
                                                          18⤵
                                                            PID:2088
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2204
                                                              • C:\providercommon\dllhost.exe
                                                                "C:\providercommon\dllhost.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2004
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
                                                                  20⤵
                                                                    PID:2648
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1640
                                                                      • C:\providercommon\dllhost.exe
                                                                        "C:\providercommon\dllhost.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2816
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                                                          22⤵
                                                                            PID:2180
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2324
                                                                              • C:\providercommon\dllhost.exe
                                                                                "C:\providercommon\dllhost.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1716
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
                                                                                  24⤵
                                                                                    PID:1636
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2760
                                                                                      • C:\providercommon\dllhost.exe
                                                                                        "C:\providercommon\dllhost.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2700
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2736
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2696
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2608
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2628
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2540
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2488
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2568
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2952
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:980
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1800
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\Links for United States\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:372
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1500
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1520
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1624
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1628
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2256
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2200
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2104
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1848

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1ad70eabd59673d665dd683d180f10b5

                                              SHA1

                                              4c66379f650a34219a9498e3af2101088cc142be

                                              SHA256

                                              d6e3a83656a79f6cfa589d0663a155a830b4ddac79145606853d4e514b2a345e

                                              SHA512

                                              3e0bb0c1d7f29963d362c5924692fb04809bb2dedaa515df84084e083907e7f4852ff3788a3bbd060640b10b4433c622fb83fa0ab7672682fa7e3313a2399817

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              74f50089c344173d87c353482fa3a6ec

                                              SHA1

                                              f983f76203c1c0045deb838023baf52584a54e34

                                              SHA256

                                              d76769ad43d372729200f0181571daa7eaf5e7ba0f70c2ae4d6a0aa75d8701ff

                                              SHA512

                                              74f8c505aa4a873d46267e09edbbbbb71396d417e48f54a1dbff9ac653663350dc5ca87eb4e39db56e1345715305f0d4284b5fb06d93510d6f9c3e280e90ea98

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1d99e083a13ed7d3d6a95287d580c0f6

                                              SHA1

                                              8769208f5b303d2a72e92d0d330917f1a2ea2030

                                              SHA256

                                              7e067ee90d10247392d50ec28b6af938b54bf5412a20971b666a1fc9203f3191

                                              SHA512

                                              80c606dbb1348dab4db1ddf7a17c753736ec807001cc2af6c464f0d47d6e768e80d42dcceed7495bf01077932e1bd4965ba4ba18f061f775d61e4e93fcda90ba

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              2c5c15eb5f44c7b6c5944d8c9f72253a

                                              SHA1

                                              bf951562281959274d45845921aa403d430518fd

                                              SHA256

                                              2a323e84db2ebb78287b9a765b4e9d39a983dae022f00b51aa6d4237a6c67032

                                              SHA512

                                              cdf4f805de83b9da40df526673f394b6bf0e5a807769313d0cd226d30236da32193c47205d03497492f06ce7cc6794d390438d4158010234861bbbf9d7bf935d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              6fe2d8a879dc347ec4e11a3d5bbd3b08

                                              SHA1

                                              f3f0f0c49ff222da4c37961a37d170550140a888

                                              SHA256

                                              c21a869a192c4ec32b1b4b7430a72dcdbbef0b6fadd747b14afb519e2b043796

                                              SHA512

                                              9093edc4ae410ed0938187fa353b30d79250a3fdac12c6bc0a1e3fe1a95d60c1dab41b9d2bb74942e771611901b168f98f5bb42cf0674b3edcc5d2d8046b34e5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              a2b88611555e93f524dc03279e984373

                                              SHA1

                                              54c7a024ab42d4160b21f26e75955e379087900f

                                              SHA256

                                              f85dc012a68186dc48da319fdeb5fe8a555d412ffce3addb529ebb80b0d83e4f

                                              SHA512

                                              b7794cd06c6da9150e6f4e2c7c40661bed1734f346818c01af8354c4c85da3818591db5dd2021badd182be17f70d7ef192963f49c32b27eda5845ff38894b5d4

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1f5cd24c77834bf777872447aff32d2c

                                              SHA1

                                              36b1ce41f2d20c953ac0ca24643d96d5fda82fc3

                                              SHA256

                                              0507367240dbe5b6e622732f3ba342e86d39a6da283f873fd9563479318ee06f

                                              SHA512

                                              fc682a58213ed16814f5f43409a5d2ff90a86260e37975dc27ee6b138b05a17c99d88bf7d67c5ea103b0b0b91a43240bc93cbf8ced45af77a3461716c3366439

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b653804e1f96450fbc1a6e7a58bf6b91

                                              SHA1

                                              5ae9a343ba5a96f28c11426b9dcc4db6b67186d7

                                              SHA256

                                              826d7c570600be471733de40708d5db7f73476746ee48fc06cfcce9faa0e91c4

                                              SHA512

                                              431dd8999f6e4082d25d64b1c4928025865d4427ff4f1efe9cf8713e83529d7c4aed2b90cab6f74300fe5115047140ba7bcf8ac516324bf6229c65fa96dd94b3

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7145f360b21dc4647758d77b6ea27027

                                              SHA1

                                              47990d8b063a9a2f5157f59b94926a84029c9af7

                                              SHA256

                                              3c5d4eec00081c804d70c5f5ad80e5c6df60b89f4ab3252ea053c81a579fdadb

                                              SHA512

                                              f0e1e06656270fe3e9191d345e031d60ef34741e362429f856823580fe628d5b2d9dcc3b4031c7c2611dcac4149b9e99d48cca8dc487d23a7722e6fbf1461c85

                                            • C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

                                              Filesize

                                              194B

                                              MD5

                                              8585d73152d9dd92cc432813d3e9edb3

                                              SHA1

                                              aceb288bd1ec88de19e3b3deaf91dcd59ac975ac

                                              SHA256

                                              e149729436984fc63dd0461f7c5f401dbc24f4dc57d0deb350e5f95d0ecb9204

                                              SHA512

                                              55caa124cd795358bfae5a482bf49c4d2d12b259c44322b6d197129f495bdabb8ef3ce981c6f0c7c59bf61964fe5713801f588e1d85dac0bdf6c6d3609d21aec

                                            • C:\Users\Admin\AppData\Local\Temp\CabD387.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

                                              Filesize

                                              194B

                                              MD5

                                              2ee467cef4d29ac10163414245660f9a

                                              SHA1

                                              181a8d8886cb8b871495a189b2af4583d15f1862

                                              SHA256

                                              978aa6e2f12272ec3008564bf2224a61d4aff2599ab9980c1c2ee65acac923b0

                                              SHA512

                                              e9601e062affc0c043f3615c22256c84a03457a99e3b04304fd5939c5dd235e9cacce9930fe24df9e520ab0906af508bba7a9e676d82d98600eada11eca17a2f

                                            • C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

                                              Filesize

                                              194B

                                              MD5

                                              1d0d8eb379e07d2accc8850e70428ea5

                                              SHA1

                                              1b294a91420b53e807a54a3adaa89645a30b46ea

                                              SHA256

                                              484382f0c259ac2af7275fdc7274417e5c64241ef0cf3b490f4ce6b3a14efcd9

                                              SHA512

                                              87662993d13fe524ddc9443360a0c59afa440aff996fc688e7919aa737120ea3ae1765830aaad2bee4f03b22444bd5537f27abf26d076c72936ab05a06997e38

                                            • C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

                                              Filesize

                                              194B

                                              MD5

                                              c0ead51a027a78f05bbc109308c8b8fa

                                              SHA1

                                              ebd0c9d440fcd2f4cce0a2a3b96807bfc6983ee8

                                              SHA256

                                              81a26db1991f0be7d30473d9c08ad09d3ac7763d3c0552a3e08e71164ad03351

                                              SHA512

                                              1126573e3d71dc3f44000a329955f74fef6e204d0af09d3b0eff6a62394716d9ef637db3f09d5ab7d6de25022ba3431f32a6fbef3c8061ce1bb21b3a26350bc5

                                            • C:\Users\Admin\AppData\Local\Temp\TarD3A9.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                              Filesize

                                              194B

                                              MD5

                                              5b36f079b52a360f6cddd367e895139d

                                              SHA1

                                              d7eba9db95b07336db3895fd4277fd5abf72c116

                                              SHA256

                                              6f1c77cfe1630c4d6fd2ec190c75cd9fd72e5bbc58f41618cba9e3f18950734e

                                              SHA512

                                              aed729bebc99f9a43447f406639df20f04cff87f0156244f34bda593daa315b7c305ef6da2171a17b383cbc22800c8e2c1778be825326b5eb458e70bac90868a

                                            • C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

                                              Filesize

                                              194B

                                              MD5

                                              af2df2850a2ebc402fa207d52510f66b

                                              SHA1

                                              bae0213b68d714f217bafa3b3bb440a2cf7b0c43

                                              SHA256

                                              bb6f82bc668d3351cf4817b1f3cafe543678da8d9b10df074d925c8f1f216d2a

                                              SHA512

                                              757d210898fcb507eef5b6b288da1a3153a5e518ea74c9c6547fe6e5c7d614d028a55b976a98aa7c69d2e2842940dc2d61b44d68465dd58ed5764cd28aa41ffc

                                            • C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

                                              Filesize

                                              194B

                                              MD5

                                              5059bab5328fede734aca7351f06cec4

                                              SHA1

                                              4d335d74f1198f78ba09dc0390e4a7bab8666337

                                              SHA256

                                              20b8b9eb2768f5106dc748d6929afd3f64a9460c6601003bde4ee63a721f3131

                                              SHA512

                                              d318858e2b23d4f28f71d4f7130b1f9dc1a32c2a1c598fd68cfdb3902590b71719ef3e49d3220b1b5c6b8b3bc34f20301b244a0fd31c48e6712d31dc35484606

                                            • C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

                                              Filesize

                                              194B

                                              MD5

                                              c6128a4db929acaf2fedc52cd75fc69e

                                              SHA1

                                              3aa869ec16d4f7f0d45539f96f1966d9a7c557cf

                                              SHA256

                                              6669e63c7c8c589d888a90067ed23aa4475cdfb3071fe28b6fc929c1217ab782

                                              SHA512

                                              077dfbe8c6dccef59cedba98cb54b7a2748d1d02c6dc082cea01cf95cbd9dcfa1317047aa7621373ecc4ad2a45b47bc1484fc822d13e555b139122f07794d134

                                            • C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

                                              Filesize

                                              194B

                                              MD5

                                              1f6ed599ba9027538d9caba937b1ea16

                                              SHA1

                                              0b7acdf788b8824f8f2b2505d6ebde4861ee1e59

                                              SHA256

                                              a95315d458d424ccbd94307d1f4112be5d67f03702467d68b46041e0489034d6

                                              SHA512

                                              20e2f13a0a96b66fcb7854817dffcb7ae67b7665012fd0b0d432eeab119777a73454b66534747394f4c700ce2e4ff83b55cb11f064946392a71f04a6b08ab155

                                            • C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

                                              Filesize

                                              194B

                                              MD5

                                              ac3e7fb43ecc074bdd8b1e4fc34de238

                                              SHA1

                                              ab95fdd260eb55f79ab5b1b7cec042c871ed1835

                                              SHA256

                                              b220236627a4b114595a1a866d0935fa94e057d90f5780f11f0ab328a3f0c3c5

                                              SHA512

                                              239f143adb48dd5ee6d5955fb165a3db0755628598cafa98d20259f39c6c8d3ed1d5dcbc300c9b59447cc00707c504e0ce2572d233b1dc885a9aaa3e7d1c0e18

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0RCUS8BSZNG1FJ0QXMS.temp

                                              Filesize

                                              7KB

                                              MD5

                                              a88005c288ff3d5adcf2a9f96b3c0a5b

                                              SHA1

                                              af1fbb7a0ec03c8d978f7964433d0c103339af38

                                              SHA256

                                              8865eb02e06b4b0a92e7883789c89994aab144be90a33dcd1d5f345b89070471

                                              SHA512

                                              4fd5b1c677671cdea8ea7dba1e9eb72dbc73d2da1be4f3c32200896abd7ee9557b1a4f5fc99c0f7cdbe46feec2b1d1cf2e1448c766f1fa830f8010c54d56c779

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/480-86-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1052-167-0x0000000001160000-0x0000000001270000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1368-96-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1584-465-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1916-50-0x00000000002F0000-0x0000000000400000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1916-108-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1952-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1952-17-0x0000000000300000-0x000000000030C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1952-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1952-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1952-13-0x0000000000310000-0x0000000000420000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2004-525-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2056-345-0x0000000000390000-0x00000000004A0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2684-405-0x00000000012F0000-0x0000000001400000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2816-585-0x0000000000140000-0x0000000000152000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2908-704-0x0000000001130000-0x0000000001240000-memory.dmp

                                              Filesize

                                              1.1MB