Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:42

General

  • Target

    JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe

  • Size

    1.3MB

  • MD5

    8acc9f8314310074bc3a4f799fd4ecbe

  • SHA1

    67f7b1c1e8a768a3d865c5323896944e63041c82

  • SHA256

    78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570

  • SHA512

    c75f755e99b9a789b7a71f5153c295da4de2e27fb38875ea628c1906fff4df7105a75669c020ce63b4b8d4c34a00b52f42d46dde2c6a2e7f8400e9243ab79989

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78b60271ca40b809e0e1aa37c8e730ea3bbfb8007b78fc7e5a17f533736c0570.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\en-US\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
            "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3000
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2920
                • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                  "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2516
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2700
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1812
                      • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1904
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
                          10⤵
                            PID:1644
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2312
                              • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2308
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                                  12⤵
                                    PID:1652
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2948
                                      • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1012
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
                                          14⤵
                                            PID:2780
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2816
                                              • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                                "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1812
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
                                                  16⤵
                                                    PID:1020
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1904
                                                      • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                                        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1672
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                                                          18⤵
                                                            PID:1160
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1008
                                                              • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                                                "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:928
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
                                                                  20⤵
                                                                    PID:596
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2804
                                                                      • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                                                        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1788
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
                                                                          22⤵
                                                                            PID:2324
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2416
                                                                              • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe
                                                                                "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1312
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
                                                                                  24⤵
                                                                                    PID:1708
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:1088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2596
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2544
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2572
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1648
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\en-US\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1156
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2456
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1988
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2144
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:664
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2208
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:448
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1668
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:800
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1220
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1368

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              45b8acda59bde907bfe60e266b78a6af

                                              SHA1

                                              1e731a3101035d8d0ce1c6bcf6fbfa079f48af67

                                              SHA256

                                              2ea054a873505487f80481ca392000557ac0a6a47a4a25c56f1bb94cba90604c

                                              SHA512

                                              cf2474996e9c521917a212b39b6ce8dcae69a1a5fcf743a0b11886ad32abcb70f78fccb5ada51dcc7180f773cb643d565282427ec63381ebfd7b959771cb4526

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3f42a576e813f5264db39f1a964abbeb

                                              SHA1

                                              06fcb317d99c0805208cca1c473abbef9363d1fe

                                              SHA256

                                              80e931f2d428c4d7622503b754d256eed5dd047d0911c0e7905c7e7f9427aa22

                                              SHA512

                                              ed1317336d68df8036a949c7b51980723d3156f640d1713acdacf8858304ca80ebf8c0a993d738033db65a9dbe4430ebbf9d11d592c4bfeacd286a361a5c60dc

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fbe0c664143a6028b09c4d8e964ddf86

                                              SHA1

                                              9d4ab07cbae7b8162a98f8261f417d3d095d3f2f

                                              SHA256

                                              9dd8ca1a013238bd46759befb7a8f57d36f56759ed49c691ed36e318ef009a18

                                              SHA512

                                              6fc1c0d11470b535b838211fc8e83809f9b9ec11c7d3c1f4a07e20b8a8ff153bcc914cea639c90833409bcf38e38c6a20c7ac04fd7682834b1989c8dfbc9ee86

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              0aa6a6250d0427530d3777c31d8881cd

                                              SHA1

                                              f3b0f9b0a0147d842ef5940abd07caeb837a0d09

                                              SHA256

                                              b1087a9c8536c16c04836704e0188ff30c2b75f2100df7eebf07075bd90fdf9d

                                              SHA512

                                              dd336c7c8179b07e3e8daa57e952bbf1904b5585814bfeead0104dac91ad2ff9f6c086025ac61a0090c1943ee90ea9e14d872aabafde0a64a37804e6b5f6f5d1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              62ed3a4fe4c475a245e41a8b1ff9203d

                                              SHA1

                                              1ea08a90a42c4234ee7a6eea07a27c9362619a8e

                                              SHA256

                                              ccf6ac7c4231e45d8f9a1018f8fa21c70295151597d06baee7dd3d8793da44d1

                                              SHA512

                                              7dbd1fe48bec3ae28c4aa27316131a5de3258f3dddb06759ee7bffbc241a93ae210e766a7d46e91e83014a85847a3415e9cc1efdd9ee02eba741cdb622fd2f52

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              32b3f1876075192fb6ed777bad9344f2

                                              SHA1

                                              e82f7ba55a7dfaeb78f16c1f44bc459bddbcaa6a

                                              SHA256

                                              f6f1cf950227ab4ac47dd4ff2e684c86b8cfcac05e2868e2e1771494975e9960

                                              SHA512

                                              a649a97e3acbcfc56e9313676e2a2a61142e00c7e4b56015897f14aaa429cd42731adc1fe6c5291196b6136f6068331c6d8abe328b4b59146acd7b066b6c5fe7

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7c083f0023308b5b20e1d0aee6c4c51a

                                              SHA1

                                              7a2c3d27b4e69c0aa2b5644a0c9a85362788e6d8

                                              SHA256

                                              037d5355d6c4fb991e7407b82b637af250ffd29ef7c2e93f60be6fd2720afedc

                                              SHA512

                                              7f96b522940e2d55dff6cb9cf46ffa9e8810ef8ca2a2c896b33388dc0c26dbb80239341ec300e926362278e1e9e9fee6230797c90cb3c1e44d7c82a5418d9055

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              38070efd742d40025aea1921246f9a2e

                                              SHA1

                                              5fb675eb41815b0e2d2422144ca5f4a002fc6c3d

                                              SHA256

                                              1f144a4310775a73b9c999a1ce1cae4301df2e094cdf8dd6f3fec707a703842d

                                              SHA512

                                              edf573b0c94ef5c8dbd6ce50b8873d5ad2040e2ddb0e99d5d04f68d3994ee9210ae79a9be47a6630dc44daf1729c26bc44149e5c0464342daf9c07bde4fc2af4

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              217083727a2c06867abef7701585fd7c

                                              SHA1

                                              a653c4d68ed8586e318b60e178875b3d22fd3f5c

                                              SHA256

                                              fcbcbbfb6bfc84565fcd5bbead535474cbc99d08898a579ce065f8931db315d0

                                              SHA512

                                              4c26634fbeca38c4faac1e4dc622b2893680628c047f717caf4081d11d412e3ea372ec689b742579417d6082b8f6dc917c44f78532c28f743c3137fb8e71bcfa

                                            • C:\Users\Admin\AppData\Local\Temp\Cab1D62.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

                                              Filesize

                                              221B

                                              MD5

                                              d541fc1a34c6127a06de8ea6153bbfe1

                                              SHA1

                                              4799ae833ee2025b94dba43677288865f1b6d183

                                              SHA256

                                              ba9041dff1e5ba555ce6ec695d300e3bcde2d75cefae30cbd1b6159c777d8bf9

                                              SHA512

                                              25a90f1446875f15c7018c656a1f1b27dda3c3931502550812447048c738716408e86ab7b73110b1682b8758b39f2216215e676da8b2b9bc6561b270096f7011

                                            • C:\Users\Admin\AppData\Local\Temp\Tar1D75.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

                                              Filesize

                                              221B

                                              MD5

                                              0a2e74d51672342ff07dea9175bbf7ac

                                              SHA1

                                              a322d72142cf69b1b641f8961730db210c7dc046

                                              SHA256

                                              f4e04e63d2487753647b86b336179d24224e391005031afe2d6e7bb9c17a2ca9

                                              SHA512

                                              87f721ea206e6bb15fa6167192906a5bf9d2af70faeaaeb6102944d412958c65685c1ced96e78fc99e5d764fe0a9b1313419faedcda08a44124e37b7601d2e12

                                            • C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

                                              Filesize

                                              221B

                                              MD5

                                              328e8728b42f7be60a5eaf80db11b64e

                                              SHA1

                                              cf0c0565512abe51f97f4aa2ea4a354b89734a25

                                              SHA256

                                              292925037800de154e6c2d3549350f6c5872af071483188007f3d632f76c2989

                                              SHA512

                                              2833bf6c492bc960571f6030ace4139b950d3249fcae763e6a3739a1aa6d8d68f745a87426de399f5fb847a533eb83e4744483b9f238268f0f7e3d43b44c770a

                                            • C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

                                              Filesize

                                              221B

                                              MD5

                                              e9ae1268e0db3a6cbe51ca18c288559a

                                              SHA1

                                              a3863559b3b47c5af4152f7d7e41d2d2b003cfbe

                                              SHA256

                                              2a71ff69ff8d6436585560875c5e3169c05440a6e451002850faece368771411

                                              SHA512

                                              03d7c0e2c2dffc54df95693f0110edc7a408f204686f6677a3375b78b10e7f883c2baae08fdea98a967c8b43791b76a3808b3c6fc3d1799f6b76664919aea19f

                                            • C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

                                              Filesize

                                              221B

                                              MD5

                                              1fc54f8437627cb6c2930e2cdfa9b26b

                                              SHA1

                                              44fbd25a80051307b7422fd1e3b5493fb9c11654

                                              SHA256

                                              891f7303f4ded280e62c17d607597d783a0ec7143f9557c991ee0e57c326de53

                                              SHA512

                                              c7d259c8ef820b483cfdf78aa96a50cd7cb4c973959df2363465547aab40ffc602e0f2956992c689d5389fc19d7d7436a468a45a72e2bf604a591184d575fd07

                                            • C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

                                              Filesize

                                              221B

                                              MD5

                                              18b9dabec10535f3eb491a100d6aa501

                                              SHA1

                                              ffd8712a2f6f87833883eb898d827c7b89a82688

                                              SHA256

                                              a88b78bf46254d25fac336563d5759fb3dff54e223cb2890d95721f852cfe4ba

                                              SHA512

                                              d2e08d7c4823a4deabdd44903d35032617d7a0a3113ceefdf06f6e4ddfbfa98bfad80548fa359a27250e151fdc7a1ddf2509ed477a5681f9f2e56ffa1f802a58

                                            • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                              Filesize

                                              221B

                                              MD5

                                              10bb990532af52a999bd9766192ca854

                                              SHA1

                                              aa88d7ff6b1034a1bdcdd3bd208e962327180d09

                                              SHA256

                                              cb040f86f85da58bb8aa572984baf57aa4f8b52ce8c3ad21e86c2c2928efe5eb

                                              SHA512

                                              a58413708ce3f30b01881c35b2665ff4f0c489947ed3edce8ab4c2c6ec6fef86d5d07bb0fe4783c5477c3bb7c7317bb1962b7e9d85922ee57613dd7fe5c3341a

                                            • C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

                                              Filesize

                                              221B

                                              MD5

                                              aa8046e4ac391f541ff855e465a92942

                                              SHA1

                                              7ac44f42abd707ffa19fd5cf1f591d46b356d702

                                              SHA256

                                              f953093acb717d351785b02008911143f9e6c43e90a3b407d1b82f2de1ae1057

                                              SHA512

                                              dabd26f78f7bac17c00fba6592c4e9816f0a0ae025439e4cc2a93d3d92513ac3705f2e4873f970d9f7105565a55b9ba4afe810cebb6e2c8afcb2a6f478c76382

                                            • C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

                                              Filesize

                                              221B

                                              MD5

                                              726115176e44d5d0f6ad1db3b0210c99

                                              SHA1

                                              3ac250d016d31342846a9b750f180cbdb7f05450

                                              SHA256

                                              55833b8ae603c8c8c2a0ffed04198f4cdc029a9a28524ef89c6b7d3062dbcd1b

                                              SHA512

                                              0cd059c4b4c43d7335ccee8e1ad2a32109d40f7655beb7321f80311f66d643e4b3b96a2b91e2f5a8530d8809a12616d22746474406677a4a5aa9a5ca586c65ee

                                            • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                              Filesize

                                              221B

                                              MD5

                                              d42b24331e3f8087773b346993d942be

                                              SHA1

                                              d91abb4d37d26ee16518a33d85fc0d28b09de465

                                              SHA256

                                              f6eb381212e53244a410551ffd5bb64482ce1fd3b6952057a5d110196e994088

                                              SHA512

                                              79e1d2b254850251dce3b636db151f4641bbd096ffd457a573fe1c40071eaf5304786767cb9ed73a6d1bdb0c46c9acaf3b296c67ce0dc0b3268cd4862de9e910

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              339d65f6ea29571ce86e6de2d5213817

                                              SHA1

                                              dc2e74912ddb6c432421a8dea77168a534a481d8

                                              SHA256

                                              c1f83d75e7948dfbb52e828141f5d821eba26a6e83ffa002d82c047b220ad526

                                              SHA512

                                              d1df5644adc743bd2fa1bb6001a82b0f9a709c64c3f533cfc5f4b1f2f683caed596edad7390fa509faf09b61b07c41f7edafc40ebdca9d53e70b231c167e700e

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/928-517-0x0000000000020000-0x0000000000130000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/928-518-0x0000000001F00000-0x0000000001F12000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1012-337-0x0000000000160000-0x0000000000270000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1512-88-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1672-457-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1788-578-0x0000000001390000-0x00000000014A0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1812-397-0x0000000000990000-0x0000000000AA0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1820-81-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1820-80-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2308-277-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2516-158-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2792-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2792-17-0x0000000000300000-0x000000000030C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2792-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2792-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2792-13-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                              Filesize

                                              1.1MB