Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:46

General

  • Target

    JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe

  • Size

    1.3MB

  • MD5

    5e44b89b39c58244d07e53f6ed7cc212

  • SHA1

    7dee7a8cb4049ebe460d1c4101c9e05bf67b5cf5

  • SHA256

    41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9

  • SHA512

    9ad165c96e362b135fc7f767d931a71f6e1316e9267574f02508a98e3d6aad076436a8547b5e2e53fbd898942b8c3c6b404628c49a9b2c40c8bb1cd0d2933dad

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41052e8a35b445c4ea256b0938e354ec44537049730476d5b5c5980c29c26ec9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1784
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1916
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2264
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1772
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2920
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2196
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3040
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1852
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1608
                • C:\providercommon\audiodg.exe
                  "C:\providercommon\audiodg.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2224
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2788
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2392
                      • C:\providercommon\audiodg.exe
                        "C:\providercommon\audiodg.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:856
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
                          10⤵
                            PID:2688
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2684
                              • C:\providercommon\audiodg.exe
                                "C:\providercommon\audiodg.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1752
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
                                  12⤵
                                    PID:1636
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2248
                                      • C:\providercommon\audiodg.exe
                                        "C:\providercommon\audiodg.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:640
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
                                          14⤵
                                            PID:1632
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2216
                                              • C:\providercommon\audiodg.exe
                                                "C:\providercommon\audiodg.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2712
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
                                                  16⤵
                                                    PID:2700
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1496
                                                      • C:\providercommon\audiodg.exe
                                                        "C:\providercommon\audiodg.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1596
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
                                                          18⤵
                                                            PID:2372
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2592
                                                              • C:\providercommon\audiodg.exe
                                                                "C:\providercommon\audiodg.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1872
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
                                                                  20⤵
                                                                    PID:1992
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1656
                                                                      • C:\providercommon\audiodg.exe
                                                                        "C:\providercommon\audiodg.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1088
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
                                                                          22⤵
                                                                            PID:560
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:848
                                                                              • C:\providercommon\audiodg.exe
                                                                                "C:\providercommon\audiodg.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2012
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
                                                                                  24⤵
                                                                                    PID:2612
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2008
                                                                                      • C:\providercommon\audiodg.exe
                                                                                        "C:\providercommon\audiodg.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:948
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
                                                                                          26⤵
                                                                                            PID:1452
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:2748
                                                                                              • C:\providercommon\audiodg.exe
                                                                                                "C:\providercommon\audiodg.exe"
                                                                                                27⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2220
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2740
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2684
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1072
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1632
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2792
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1756
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2112
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2668
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2520
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2104

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  b5eb00a730fb1dbc5a5f87556cb8ab0c

                                                  SHA1

                                                  38a66b5333e089125239f8ee048b2fb588837a7d

                                                  SHA256

                                                  16908a00400536e73fd31d39cd58bdca7e04f74dd8f582be349c90faccf35e83

                                                  SHA512

                                                  900dbadac8ac96c1ccc297799f2ba76f25006188b5b170f25d6e539a1cb7a10a4c23377a3e635ccff86603c7c01c01b3a47736764966eca1262432db6cefa9e4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  9790de75f7cd09bae295ae397e31c1a0

                                                  SHA1

                                                  94bfa8708b0875346381e61346226e0bb7d4d417

                                                  SHA256

                                                  05bad19a5d7b6d877e23048364f02b445a48d32f700bb4e8b30dc1ebd8d2c6d3

                                                  SHA512

                                                  3dab2ce52e006d3e232e2bb0c59984c0f996b54169a5f452d80860aef733a21217eb21fd12f013bd98310541d37e5a18e852b5d0f08dc1b72d1e744ab1fe3db0

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8587a4db2e7df6d3d0096cac34be01f1

                                                  SHA1

                                                  27bb8e389ef14c94ad66ab34f49849b4b16e1d65

                                                  SHA256

                                                  413fb27705874f40c4989b35ecbad6ada9d9f9a50a29198c10cbe5a51cb51be4

                                                  SHA512

                                                  e27485198ee592494e5a77d7791c250b4b3d2cc36dc003bb0c5a59068b41cb098e423f631b6487eb5a226d72897acb8550f77e6d6daacdf4e8d7f7f33f82d954

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  0e580e9ea7aaae428a8153de2da4de93

                                                  SHA1

                                                  44c3714bef5d6dd5f7e65b21ff919355eecb02db

                                                  SHA256

                                                  f18c11a1fec05157a838913ef7c80a48ab262d4c176b4a3ebf8633e9277df061

                                                  SHA512

                                                  0a1c91e01d4dafb0c777792deb4566f1599e3e46123b2c2e5d5366b7875eb1a2b669603d9017ca5f3191f13907d89476e8c645409542a1a710d78a04431e9ee1

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5d09033e28f613d4e6d1a29051ad0c2d

                                                  SHA1

                                                  bfcf0c4f3f8a44b619f30a65c2e20b4f7d8412bd

                                                  SHA256

                                                  8868feda1a4a39cf99a5b6d40a699b5141d283c7dfeb583be0eca059a22f7731

                                                  SHA512

                                                  252bdad6c73c050305e8909c934800339d637d4065fc033b74a0837cfb422c8c268075c2d6c54bada6677cf10a00b772417e8d44356d46b1627fbb1cf821170c

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  734d97d78e25873388ae3fa06f83aac1

                                                  SHA1

                                                  5588c69ed7d95afe2ec366b8c84a5e97704e9957

                                                  SHA256

                                                  3fc8b602dcdca478c9eed1986e02564c12da59050412d40f5f7d184977e494e5

                                                  SHA512

                                                  fefbce8e9d36f20184d4139c9d8c30e895ed9da197fe96d944cbfea8af8a22bb1e3f809d751a472317ee81c607fbf743494a5f4205ed1ad1a9faef5afb3bca1d

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  469443a9e0f468713885bbf0d054b8b2

                                                  SHA1

                                                  362b3b77b8f62e72e8eff6b909fad62f1289e0ff

                                                  SHA256

                                                  43c58c5ec7b5100ad54abacd8ce65885457664be8d405b16c6b6846a7bfca2aa

                                                  SHA512

                                                  a140f2440b48b13901d4c4badebf10906b3fa2d146d514bfe1371560e1f48dda80df392e66eed01b5638b7dd4bbb9615b053783416e195022a39902eca460ba4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  df74f20934479604783da47b8a72e0a9

                                                  SHA1

                                                  c6a1285a0a8bc727ebb1d581914c346449acb99f

                                                  SHA256

                                                  69967d5ab6e5bd0be6b67a37289a623014161fe79cb74f47ab1ced0be6841a25

                                                  SHA512

                                                  71b2fd38e61035c78de1f2fbffc7ea37f43084bcd9dc7a40fbd8a06925057c668d21293ec270d66d759f7e31048babf6acfebb1524d67730a7289e3a0347a3da

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8dbc1f5b9c64fdf11335459e16e83e54

                                                  SHA1

                                                  4d6ece5b1b9fe8b547ae6451ebc8cda4a51b296f

                                                  SHA256

                                                  5c9ba296856b9deeaba0d118e5622f434170ceffa697cfddea88fdfdbca28061

                                                  SHA512

                                                  624635a9133bbaa6cf740150f964ec2d961678b5e3bdc55092b7ae3323965ae1be05230651cc524979a5ed67fe99ff46e5ab05b7ecf459fd8349f5960bc6caa2

                                                • C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat

                                                  Filesize

                                                  199B

                                                  MD5

                                                  4205300563381855ac7d9bf3a21c0277

                                                  SHA1

                                                  27954f2c3dd819cbbf23f986aeca96c26d798a7a

                                                  SHA256

                                                  d3590d2f2e02704a6d02dbcd71093ab2c947b1e855f5603afc6fa78c099b7204

                                                  SHA512

                                                  a32bc2d30e0c18070e41b88e7f61b470fa2dca0aa54e6d833bdfbc51d97e74ffd079454eea2f10130d340a5d3ccf545f993a2cd0fea4148823e213c5be4ea3bc

                                                • C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  d0ff93ee4caf3153bf7f9bfcbd18e4f4

                                                  SHA1

                                                  21483972233b3e5fcfb6ba5e5d26aaf94c303af6

                                                  SHA256

                                                  1d6464489c925306290044de4a5fd6261809cb38bf864871043da0319eda288d

                                                  SHA512

                                                  7e884725f3974a72a0cc76c1862fa86230d5d9644244a91240b65dc4b1388bfcf91922dfcec23c57312ee4fc5df13b5262c6842b41520ea84450d1f9e76f7d4d

                                                • C:\Users\Admin\AppData\Local\Temp\Cab18C0.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  d21a24d309219b06aa883bc66737f140

                                                  SHA1

                                                  061e25b5f92f8f138827a4e3ab0e30b6f3016296

                                                  SHA256

                                                  b5c2fc4bed330f915acdd8c16d1e64de9f8c44bcff538285198424e87a3c795f

                                                  SHA512

                                                  7812c08d446e7e3385ce032997c7c76dc5d7d3431cd7427efebb7363e9e50de61e3e35aea22a38deb2bc021d972ac54bf3f7100e01433c1517f58f47c7d9c95f

                                                • C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  3f368d94311c8eda6e63dd2430d71248

                                                  SHA1

                                                  531d169ad4a86287950d15bf674d99fc9d39960f

                                                  SHA256

                                                  0e105e54e53f59f4424526dea46e8f88af828aa8f52355be583e8da357d43ec0

                                                  SHA512

                                                  56cb6dcccc17c59daa6ff8291b3a366628a909e52c27249fd05685c74916f5a46fa91bb86293e8fcca3f449c8ac233dc0dc840f9e8cb1b5e920f938bbb331906

                                                • C:\Users\Admin\AppData\Local\Temp\Tar18E3.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  f089a221950b649cf19f5e1da24b3b6b

                                                  SHA1

                                                  d9675f6562ab65b6e12b76758105c4e2d4ee6d8a

                                                  SHA256

                                                  52b9ef8321faab148868569e5da68f0e14800e54ce6b30be670dbbdd966d7cc4

                                                  SHA512

                                                  88c052b6db759a6d7f3f0c8b1db4cc3d59c4d570e2cd38553f059f009105f07b3230661d3b82609bf3f9b71653614099edc3bdaff6de207df416f63312eddb24

                                                • C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  9c60b19642120f297058ecd74361e524

                                                  SHA1

                                                  3ac24623a5734675cfc1fda54cd8d992e8263f9b

                                                  SHA256

                                                  cdb5c254078fc798bc691d901cde9e0324670440a3dee7517a2bde119f88b08c

                                                  SHA512

                                                  f64bec12376d704648edd82bf8d268d1674f48c1cdb364b375014f9a2461b9ba221c081b382ad4afe7333322c9d326d49148260b1569949a35d219f7c7f7e5b8

                                                • C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  5c1dd581ce89a5a80955434a61a532f7

                                                  SHA1

                                                  e15e65e406ff733e734cc2db86f5f62f1d3de367

                                                  SHA256

                                                  2a22f473363e4398bc86cecddcfb7ffc2b679650c614d8cb57e21aa517843c61

                                                  SHA512

                                                  7a2808e7e9f58c2e2beee0e8205a2b216d8bd0d120c0e1fd7ec8ff2dbebdb7ed99ca640363683c0a23ea6504a0a9b93799207606bf61cb7fdefe6ab31d469919

                                                • C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  166ad83827d05190143fe21093076984

                                                  SHA1

                                                  ae88b852d82f4ff90dc3c93aa89046b2572ee6fb

                                                  SHA256

                                                  1bca4b6e8b3474e247de7f16a8e12a22be5cdb933905beea005dfe78d93ca677

                                                  SHA512

                                                  4253761b702e5c48ab064cd6185330b65ed1d98717f208cc05fbe744bca0d4522fbc03e1fd49b300f5f4a7463b72a7c0d20ec46ac0e04e10e277da1d4e23e5ca

                                                • C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  ae1eaef5568f925764bd6558288b085d

                                                  SHA1

                                                  d881890a90036e3a4b7ec0a0763cbc1fc405fe61

                                                  SHA256

                                                  efaa6e76d8ebe78cd34694bab8270e6130643812475ed63cf3c559c2648add90

                                                  SHA512

                                                  6ecd2964c62ac33e7bd3009aff1d3cde9b8456b352954a5b7f4fb2d059bcb4e8ccdeb9f3d426f71bd46497f927adb67399dc1efd64da63196ac76c04d7339d39

                                                • C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

                                                  Filesize

                                                  194B

                                                  MD5

                                                  de8ca61232879ef985912dd151f97f72

                                                  SHA1

                                                  dee6c71e03ec9708a1877ffa967352dbdd9df9da

                                                  SHA256

                                                  d47b457e158db45a15bdfcf8a080938bebce5c0c14262e863e97f6cce78c4371

                                                  SHA512

                                                  4c193e9102647d8492cd7a2837b892c51e667a9042ec720221cc87ebf8c9df81ccbd260d426d9c1ef34a2573062bd5c59c84e8e29e6f6738d787dd877b78b7eb

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  31d700dd16be1689cd1d77a81e7693d0

                                                  SHA1

                                                  dabc52ee99675bffac69cfab10bfc87df66b5bee

                                                  SHA256

                                                  f7161b5bbe624cd6f0ac72395eabf397f294ba318091c3dc061de4c3a258aa06

                                                  SHA512

                                                  b4d390be9286af158300c6217efcbdf294cf95ffd263a34cc6edfbeb0275449f2528318139321412af71575e0b87aa48d9356486fd3156a8e8186d3fe75e9ede

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  87200d97d806a25f86b0f340cef13654

                                                  SHA1

                                                  20c4034c55c56d377c97a6d22268ce26ffd0f8e7

                                                  SHA256

                                                  d53b2fff150756b2ef9d4eb1eee548a2fbf2706c5c3685bf77ed98df2e815b15

                                                  SHA512

                                                  a1331828afd2583de25b5efc91970b6b133332e396bd076d777f76f04f977bf7f798773b02d79f19171a8344d8db39ce3ca3350710ea033bdc87b82a779a18b7

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/856-166-0x0000000000340000-0x0000000000352000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/948-640-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1752-226-0x0000000000440000-0x0000000000452000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1772-79-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1956-44-0x0000000000280000-0x0000000000390000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2224-92-0x0000000001310000-0x0000000001420000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2264-76-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2376-42-0x0000000002030000-0x0000000002038000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2556-41-0x000000001B710000-0x000000001B9F2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/2568-13-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2568-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2568-15-0x0000000000510000-0x000000000051C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2568-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2568-17-0x0000000000500000-0x000000000050C000-memory.dmp

                                                  Filesize

                                                  48KB